Cenzic 232 Patent
Paid Advertising
web application security lab

Yet another MySpace worm hits

Quadszilla ran a story regarding another giant MySpace worm traveling over the XSS riddled social networking site.  This time it hit the embedded shockwave files, which has long known to allow JavaScript to be embedded in it.  The details of the hack can be found here, and the details of the actual exploit can be found here.

I should note that this is using two seperate vectors.  The first, as I mentioned as the shockwave that MySpace allows in their system.  The second is a JavaScript directive that is split up by a newline and a carriage return (both of which only work in Internet Explorer, Netscape 8.0 in the IE rendering engine mode and Opera.  This exploit is probably confusing to some people who attempt to test it in Firefox, but it definitly works.  All the good stuff happens when I’m gone for a few days!  Geez!

Comments are closed.