V Wall just sent me an XSS exploit in Tagworld. Tagworld is a community site very similar to MySpace, allowing people to post blogs, post photos and otherwize find someone to take home for a night. What he found was that certain fields allow for common XSS attack strings. This wouldn’t be a big deal except for the meme aspects of community sites.

This could easily pave the way for another SAMY worm. Granted Tagworld is not the same size or scale as MySpace, but given the turnover in these types of sites (Orkut, Friendster, etc…) to new applications there is no reason this couldn’t end up being a big issue if left unpatched. Here are the screenshots V Wall sent me:

• Loading up the XSS
• Waiting for it to render
• Cookies leaked via XSS

Thanks, V Wall!

/RSnake

This entry was posted on Friday, June 9th, 2006 at 5:10 pm and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.