[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Windows Live Spaces logged user NetworkSetup.aspx cross site scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Windows Live Spaces logged user NetworkSetup.aspx cross site scripting
From: paolo.difebbo@xxxxxxxxx
Date: 29 Mar 2007 13:12:20 -0000

Windows Live Spaces has a XSS vulnerability in NetworkSetup.aspx page.

This vuln affects every windows live space and it works only on logged users.

With this vuln you can grab cookies and so gain the access to the blog's admin 
panel, where you can edit user's options and data, MSN Messenger nickname, 
personal image and other informations too.

Here a PoC:
http://bug.spaces.live.com/NetworkSetup.aspx?dp=1&cfs=%22%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

Credits: Paolo Di Febbo

Prev by Date: Re: Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability
Next by Date: Re: Re: Bypass phishing protection in Firefox / Opera
Previous by thread: Re: Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability
Next by thread: AOL 9.0 Deskbar.dll/Toolbar.dll DoS Vulnerability
Index(es):
- Date
- Thread