smtp relay check
mailserver:
e-mail:
more info
translate to ...
language:
 
[1] . [2] . [3] . [4] . [5] . [6] . [7] . [8]
EyeonSecurity
Nekromantic
EyeonSecurity Forums
Ob5cureDotCom
elfqrin swg help net security
frame4 security hacker gurus computerglitch
gotr00t b0iler hackinthebox
nekromantic.com astalavista.net wand products
security-protocols
adv-knowledge rootshell wbglinks
security.nnov.ru
 
Copyright © 2001,2002 eyeonsecurity Inc., All Rights Reserved. No portions of eyeonsecurity may be used without express, written permission
 

Advisory Title: MSN Groups makes cross site scripting easy

Release Date: 28/07/2002

Application: http://groups.msn.com/

Platform: Not applicable.

Version: till 28.Jun.2002 this exploit still works.

Severity: XSS

Author:
Obscure
[ obscure@eyeonsecurity.org ]

Vendor Status:
a. I informed secure@microsoft.com on 27 th May 2002 (2 months ago)
b. 30th May I got confirmation that they opened an "MSRC investigation".
c. ID for this investigation is "ID is [MSRC 1174dg]"
d. No FIX yet. Plus I got no further feedback from Microsoft. I'm quite sure the investigation got lost somewhere :-p

I put up email conversation with Microsoft on EoS:
http://eyeonsecurity.org/advisories/msngroups/secure_at_microsoft/


Web:

http://eyeonsecurity.org/advisories/msngroups/

Background.

(extracted from the help on http://groups.msn.com/)

My Groups is a list of links to all the MSN groups that you have created,
joined, or marked as interesting places to visit again. When you are signed in with your Microsoft .NET Passport, your My Groups list can be viewed:

o On the MSN People & Chat page.
o On the MSN Groups home page.
o When you click My Groups near the upper-left corner of any MSN Groups page.

Groups that you join or create are automatically added to your My Groups list. You can also add groups you like to visit by clicking Add to
Groups I Visit on the What's New page of the group.

Problem

Groups.MSN.com allows any member to upload any file and share them with others. This means that malicious users can upload files which can contain Active Content such as JavaScript and VBScript. Some of these file types include:
o HTML
o SWF
- maybe a lot more file types.


Exploit Examples.

http://groups.msn.com/eyeonsecurity/page.msnw
Before accessing this page you will be asked to authenticate.
I put up 2 examples:
b33p.html
c00kie.swf (check out http://eyeonsecurity.net/papers for more info)

Both of these examples popup an alert with the cookie data.

You may also link to these from Hotmail by sending an e-mail as demonstrated
on "Demo 3": http://eyeonsecurity.org/advisories/flash-demo/


Fix.

There are different approaches that should be taken. I think the approach should be the same as with other Cross Site Scripting issues.


Disclaimer.

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail : obscure@eyeonsecurity.org
web : http://www.eyeonsecurity.org