MOSEB-05 Bonus: Vulnerabilities at autos.msn.com
22:51 05.06.2007New bonus vulnerabilities at MSN. These Cross-Site Scripting holes I found 02.06.2007 and they are also interesting XSS. I found them when I looked for another holes for the project, after Microsoft untimely fixed one that I prepared. Microsoft need to behave itself properly (when participating in the project) and not do such lame things (holes need to be fixed in right time).
The holes at another MSN’s project (autos.msn.com) in search functions (Car Dealer Listings and Used Car Listings). But these two vulnerabilities are the same as MOSEB-05: Vulnerability at shopping.msn.com. These XSS hole based on my Expressive comments space-hack filters bypass technique.
XSS:
- alert(document.cookie) (for IE)
- alert(document.cookie) (for IE)
- redirector (for IE)
The vulnerability is in zip parameter (in both scripts):
http://autos.msn.com/newcar/default.aspx?zip=%22%3C/img%20style=%22xss:e/**/xpression(alert%20(document.cookie))%22%3E
Moral: searching for autos can be dangerous.
P.S.
About Expressive comments filters bypass technique.
This technique (and their advanced version Expressive comments space-hack filters bypass) design for XSS attacks. It makes possible XSS holes at .NET sites in IE browser. It can be used to bypass .NET filters for realization of XSS attacks (these holes at MSN is just some examples).
You can read extra about this technique at ha.ckers.org (about Arian Evans’ work, who independently from me developed the same technique). Owners of .NET sites need to take care of their projects and fix this type of vulnerabilities.
