Note: This vulnerability as well as several more can be found at http://greyhats.cjb.net Hotmail Cross Site Scripting Vulnerability [Tested] IEXPLORE.EXE file version 6.0.2800.1106 MSHTML.DLL file version 6.00.2800.1400 Hotmail Version [who knows] [Discussion] I think it's been a while since we gave hotmail a little challenge don't you? Well here it is :). A brand spankin' new XSS vulnerability is available for use in hotmail and probably hotmail only. Try this: Create a document in MS Word and put in a couple things like pictures and whatnot. Then save it as a webpage. Through all that clutter you'll see something like this: That's like some cool little checker for certain features in the user's browser. What does that do for us? Well, Hotmail was just nice enough to be a little lenient on what goes in-between those 'if' tags. I suppose that's so MS Word can send stuff through email to Hotmail customers without it getting messed up. Unfortunatly, they forgot one thing: Script! Let's put together some nice little 'if' tag. The 'if' tag above checks if ms office '9' is installed. Something cool about these 'if' tags is that you can use an exclamation mark ('!') to check is something is not something else. So I'll use doesnt work. But lets try this: Well whatta ya know. It works :). As far as I know, you can use anything in-between the 'if' tags that you want except <script>. The example script below changes the victim's hotmail language to chinese upon viewing of the message from a browser.