Cenzic 232 Patent
Paid Advertising
web application security lab

MySpace XSS for Firefox 0day

Whelp, V-Wall is at it again - finding more XSS vulnerabilities in MySpace. This is a pretty interesting one, because I think it proves a few points that are worth discussing. First of all, let’s just show the exploits in action:

* Photo of v-wall entering the primary vector.

* Photo of v-wall viewing source and seeing that MySpace has modified the vector.

* Photo of v-wall using the vector as modified.

So here’s the deal. MySpace sees his vector which is onload\_= which uses the non-alpha-non-digit XSS vector. That works in FireFox. Now, MySpace decides to modify the forward slash and turn it into “..” which they think will break his vector. Oh contrare! It then looks like onload.._= which doesn’t change the vector one bit!

Lessons learned? 1) Don’t modify vectors if you don’t know what you’re doing. 2) Make certain you have checked all vectors with your conversion filters and 3) Don’t accept HTML, duh!. Well that last one is mine, but really, if you can help it, don’t allow users to enter stuff that can execute code. This would allow MySpace to be vulnerable to another worm, account take-overs or worse. Ouch. Thanks to V-Wall for the info!

11 Responses to “MySpace XSS for Firefox 0day”

  1. maluc Says:

    very very clever. love it.

    and it’s not really a shame on MySpace’s part .. who could’ve predicted that _-_. probably would’ve eluded an audit

    anyways .. fix those image links to -2.jpg and -3.jpg

  2. Jungsonn Says:

    Filtering is always a bad idea in such sites, Just strip and convert to non-html.

    And why do they allow script tags partially?
    that’s weird if i may say.

  3. WhiteAcid Says:

    Those photos all link to the same file, The other screenshots are ..2.jpg and ..3.jpg
    Don’t myspace still allow those quicktime scripts anyway?

  4. maluc Says:

    yup.. they do.. if anyone wants to see for sure http://myspace.com/cookietheft . but i don’t recommend being logged in at the time :x

  5. RSnake Says:

    Sorry about that guys… quick cut and pasting got me. I fixed those links. Thanks!

  6. RSnake Says:

    I have no idea why digi7al64 can’t post here but here is what he said:

    I had to laugh when i saw this.

    I guess myspace will be approaching firefox to fix this apparent flaw in their browser… just as they have approached apple to fix the quick time flaw!

    On a side note, im not too sure if it is still usable but http://www.criticalsecurity.net/index.php?showtopic=14573&st=0 which i published back in july used base64 encoding in links to pwn firefox users on myspace. would be interesting to see what else you could come up with.

  7. digi7al64 Says:

    thanks for that RSnake.

  8. maluc Says:

    _-_ well i think movie files really shouldn’t be allowed to run javascript. i understand they may want it for DRMing, or for additional interactivity of webpages.. but it’s still a bad idea IMO.

    Still though, i’ve heard QT supports a parameter in the embed tag that can disable scripting.. but i dont remember what that parameter is. and can’t seem to find it again.

    Ah well, i’ll leave that as an exercise for myspace admins.

  9. Adam Says:

    Well that’s crazy.. my profile now pops up hi ;)!

  10. Joe Says:

    “Still though, i’ve heard QT supports a parameter in the embed tag that can disable scripting.”

    I believe quicktime did have a feature to stop javascript from running in a .mov file, it’s called enableJSURL.
    To my findings, IE would stop javascript from executing when enableJSURL=true is included in the tag, but FireFox still allowed the execution of javascript.

  11. ha.ckers.org web application security lab - Archive » Another 0-Day in MySpace Says:

    […] Anyway, D8 (in hex) was the character that eyeced used to bypass the newest restrictions that MySpace put in place. It’s funny because I called MySpace out on this last time - if you don’t know how to fix the problem you should probably go figure it out how it works. This is what happens when people don’t follow my advice. They created a kludge on top of a kludge and it took only a matter of hours to find a way around it. Not that many people would know how to do this, but that’s not the point. But if you are as big a target and a presence as MySpace you absolutely must understand how browsers work. […]