AOH :: HP Unsorted H :: B06-5614.HTM

Hotmail and Windows Live Mail XSS Vulnerabilities



Hotmail and Windows Live Mail XSS Vulnerabilities
Hotmail and Windows Live Mail XSS Vulnerabilities




Adivisory Name : Hotmail and Windows Live Mail XSS Vulnerabilities 
Release Date : 2006.11.03
Test On : Microsoft IE 6.0
Discover : Cheng Peng Su(applesoup_at_gmail.com)

Introduction:
Hotmail and Windows Live Mail are both web-based e-mail services by Microsoft. 

Details:

Hotmail's filter identifies "expression()" syntax in a CSS attribute. According to Hasegawa Yosuke's post(http://archive.openmya.devnull.jp/2006.08/msg00369.html), in some character encodings(e.g. GB2312), we can substitute some special double-byte chars for the corresponding chars in "expression()". In this case, we can create a malformed CSS attribute, which Hotmail's filter fails to inspect and filter the "expression()" syntax. 

An example:

Hotmail
--------------------------------------------------
MIME-Version: 1.0
From: user 
Content-Type: text/html; charset=GB2312
Subject: example



exploited
.
--------------------------------------------------

Windows Live Mail
--------------------------------------------------
MIME-Version: 1.0
From: user 
Content-Type: text/html; charset=GB2312
Subject: example



exploited
.
--------------------------------------------------

the injected code inside the CSS attribute is responsible for
-Getting cookies.
-Potential web-based e-mail worm.

Vender status:

Microsoft was notified on Sep 25th, 2006. 
The bug is now fixed. 

Original advisory:

http://applesoup.googlepages.com/hotmail_xss.txt 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.