MOSEB-05: Vulnerability at shopping.msn.com
20:21 05.06.2007Next participant of the project is MSN. It is 3rd of the top search engines in world (in this case the hole is in one of MSN’s projects). Last time about Microsoft search engine I wrote in article Vulnerabilities at search.live.com.
The vulnerability is in search at MSN Shopping (shopping.msn.com). This Cross-Site Scripting hole I found 16.05.2007 and it is very interesting hole.
There is only one moment - Microsoft fixed this vulnerability before this official disclosure. As I checked this hole at 1st of June, when I was sending notifications to search engines vendors, I found that MS fixed this hole (which was planned for MOSEB). It was bad move from them, because when you are in project, holes need to be fixed in time, not untimely. But I found two others holes at MSN (and they are still working), so MS will be in my project certainly (with working XSS).
XSS:
- alert(document.cookie) (for IE)
The vulnerability is in text parameter:
http://shopping.msn.com/noresults/shp/?text=%3C/img%20style=%22xss:e/**/xpression(alert%20(document.cookie))%22%3E
This technique I called Expressive comments filters bypass (using /**/ trick in expression). And it is even more advanced technique, because MS filtered “alert(document.cookie)”, and I used space between alert and bracket - “alert%20(document.cookie)” (this is another variant of my space-hack technique, which I intoduced in Month of MySpace Bugs in MOMBY-00001011 bug). So I called it Expressive comments space-hack filters bypass technique.
Moral: searching for shopping can be dangerous.
P.S.
I prepared two others holes at MSN. So wait for today’s bonus post 
Microsoft can’t hide from me, the time has come for vulnerabilities at their sites.
Неділя, 22:51 10.06.2007
Nice find! I feel this is the first best XSS so far. But i’m sure Microsoft will be quick off the mark to patch this (if it hasn’t been done already!).
Good evasive techniques as well
Понеділок, 02:43 11.06.2007
Thanks, man.
I also like this XSS vuln
(and others vulnerabilities at MSN which based on the same technique).
Microsoft quickly fixed this hole (to much quickly) and they already fixed one hole at autos.msn.com, but other XSS at autos.msn.com still work.