Next participant of the project is MSN. It is 3rd of the top search engines in world (in this case the hole is in one of MSN’s projects). Last time about Microsoft search engine I wrote in article Vulnerabilities at search.live.com.
The vulnerability is in search at MSN Shopping (shopping.msn.com). This Cross-Site Scripting hole I found 16.05.2007 and it is very interesting hole.
There is only one moment - Microsoft fixed this vulnerability before this official disclosure. As I checked this hole at 1st of June, when I was sending notifications to search engines vendors, I found that MS fixed this hole (which was planned for MOSEB). It was bad move from them, because when you are in project, holes need to be fixed in time, not untimely. But I found two others holes at MSN (and they are still working), so MS will be in my project certainly (with working XSS).
- alert(document.cookie) (for IE)
The vulnerability is in text parameter:
This technique I called Expressive comments filters bypass (using /**/ trick in expression). And it is even more advanced technique, because MS filtered “alert(document.cookie)”, and I used space between alert and bracket - “alert%20(document.cookie)” (this is another variant of my space-hack technique, which I intoduced in Month of MySpace Bugs in MOMBY-00001011 bug). So I called it Expressive comments space-hack filters bypass technique.
Moral: searching for shopping can be dangerous.
I prepared two others holes at MSN. So wait for today’s bonus post Microsoft can’t hide from me, the time has come for vulnerabilities at their sites.