Advisory Title: MSN Groups
makes cross site scripting easy
Release Date: 28/07/2002
Platform: Not applicable.
Version: till 28.Jun.2002 this exploit still works.
a. I informed firstname.lastname@example.org on 27 th May 2002 (2 months ago)
b. 30th May I got confirmation that they opened an "MSRC investigation".
c. ID for this investigation is "ID is [MSRC 1174dg]"
d. No FIX yet. Plus I got no further feedback from Microsoft. I'm
quite sure the investigation got lost somewhere :-p
I put up email conversation with Microsoft on EoS:
(extracted from the help on http://groups.msn.com/)
My Groups is a list of links to all the MSN groups
that you have created,
joined, or marked as interesting places to visit again. When you
are signed in with your Microsoft .NET Passport, your My Groups
list can be viewed:
o On the MSN People & Chat page.
o On the MSN Groups home page.
o When you click My Groups near the upper-left corner of any MSN
Groups that you join or create are automatically
added to your My Groups list. You can also add groups you like to
visit by clicking Add to
Groups I Visit on the What's New page of the group.
Groups.MSN.com allows any member to upload any file
and share them with others. This means that malicious users can
and VBScript. Some of these file types include:
- maybe a lot more file types.
Before accessing this page you will be asked to authenticate.
I put up 2 examples:
c00kie.swf (check out http://eyeonsecurity.net/papers for more info)
Both of these examples popup an alert with the cookie
You may also link to these from Hotmail by sending
an e-mail as demonstrated
on "Demo 3": http://eyeonsecurity.org/advisories/flash-demo/
There are different approaches that should be taken.
I think the approach should be the same as with other Cross Site
The information within this document may change
without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
Please send suggestions, updates, and comments to:
Eye on Security
mail : email@example.com
web : http://www.eyeonsecurity.org