MOSEB-05: Vulnerability at shopping.msn.com

20:21 05.06.2007

Next participant of the project is MSN. It is 3rd of the top search engines in world (in this case the hole is in one of MSN’s projects). Last time about Microsoft search engine I wrote in article Vulnerabilities at search.live.com.

The vulnerability is in search at MSN Shopping (shopping.msn.com). This Cross-Site Scripting hole I found 16.05.2007 and it is very interesting hole.

There is only one moment - Microsoft fixed this vulnerability before this official disclosure. As I checked this hole at 1st of June, when I was sending notifications to search engines vendors, I found that MS fixed this hole (which was planned for MOSEB). It was bad move from them, because when you are in project, holes need to be fixed in time, not untimely. But I found two others holes at MSN (and they are still working), so MS will be in my project certainly (with working XSS).

XSS:

The vulnerability is in text parameter:
http://shopping.msn.com/noresults/shp/?text=%3C/img%20style=%22xss:e/**/xpression(alert%20(document.cookie))%22%3E

This technique I called Expressive comments filters bypass (using /**/ trick in expression). And it is even more advanced technique, because MS filtered “alert(document.cookie)”, and I used space between alert and bracket - “alert%20(document.cookie)” (this is another variant of my space-hack technique, which I intoduced in Month of MySpace Bugs in MOMBY-00001011 bug). So I called it Expressive comments space-hack filters bypass technique.

Moral: searching for shopping can be dangerous.

P.S.

I prepared two others holes at MSN. So wait for today’s bonus post ;-) Microsoft can’t hide from me, the time has come for vulnerabilities at their sites.


6 відповідей на “MOSEB-05: Vulnerability at shopping.msn.com”

  1. Silentz каже:

    Nice find! I feel this is the first best XSS so far. But i’m sure Microsoft will be quick off the mark to patch this (if it hasn’t been done already!).

    Good evasive techniques as well ;)

  2. MustLive каже:

    Thanks, man.

    I also like this XSS vuln :) (and others vulnerabilities at MSN which based on the same technique).

    Microsoft quickly fixed this hole (to much quickly) and they already fixed one hole at autos.msn.com, but other XSS at autos.msn.com still work.

  3. MRosales каже:

    I believe that Microsoft,MSN ,and Passport.NET are causing a lot of system crashes if you have dowloaded any other browser and are utilizing it. I found a webpage on Microsoft.com that had corrected a lot of errors but they were not corrected or easily accessible to all.

  4. MustLive каже:

    MRosales

    Yes, Microsoft’s web sites not fully compatible with browsers besides IE, so these sites can make uncomfortable using of them with alternative browsers. Not complete system crash, maximum browser crash, but still uncomfortable experience. So they are not fully accessible for users of alternative browsers.

  5. yamery каже:

    hola :mrgreen:

  6. MustLive каже:

    Hello yamery 8-)

Leave a Reply

You must be logged in to post a comment.