Advisory Title: MSN Groups makes cross site scripting easy Release Date: 28/07/2002 Application: http://groups.msn.com/ Platform: Not applicable. Version: till 28.Jun.2002 this exploit still works. Severity: XSS! Author: Obscure [ obscureat_private ] Vendor Status: a. I informed secureat_private on 27 th May 2002 (2 months ago) b. 30th May I got confirmation that they opened an "MSRC investigation". c. ID for this investigation is "ID is [MSRC 1174dg]" d. No FIX yet. Plus I got no further feedback from Microsoft. I'm quite sure the investigation got lost somewhere :-p I put up email conversation with Microsoft on EoS: http://eyeonsecurity.net/advisories/msngroups/secure_at_microsoft/ Web: http://eyeonsecurity.net/advisories/msngroups/ Background. (extracted from the help on http://groups.msn.com/) My Groups is a list of links to all the MSN groups that you have created,joined, or marked as interesting places to visit again. When you are signed in with your Microsoft .NET Passport, your My Groups list can be viewed: o On the MSN People & Chat page. o On the MSN Groups home page. o When you click My Groups near the upper-left corner of any MSN Groups page. Groups that you join or create are automatically added to your My Groups list. You can also add groups you like to visit by clicking Add to Groups I Visit on the What's New page of the group. Problem Groups.MSN.com allows any member to upload any file and share them with others. This means that malicious users can upload files which can contain Active Content such as JavaScript and VBScript. Some of these file types include: o HTML o SWF - maybe a lot more file types. Exploit Examples. http://groups.msn.com/eyeonsecurity/page.msnw Before accessing this page you will be asked to authenticate. I put up 2 examples: b33p.html c00kie.swf (check out http://eyeonsecurity.net/papers for more info) Both of these examples popup an alert with the cookie data. You may also link to these from Hotmail by sending an e-mail as demonstrated on "Demo 3": http://eyeonsecurity.net/advisories/flash-demo/ Fix. There are different approaches that should be taken. I think the approach should be the same as with other Cross Site Scripting issues. Disclaimer. The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback. Please send suggestions, updates, and comments to: Eye on Security mail : obscureat_private web : http://www.eyeonsecurity.net
This archive was generated by hypermail 2b30 : Sat Aug 03 2002 - 13:43:19 PDT