Today eyeced found that MySpace fixed the most recent non-alpha-non-digit 0-day XSS hole in MySpace, but they did so poorly. That’s right, they haven’t fixed the hole at all. I get the feeling they really aren’t understanding the problem, because this is the third time they’ve tried to fix this and the third time they’ve left a hole there. non-alpha-non-digit means exactly that. I doesn’t mean some characters, it means _ANY_ non-alpha-non-digit characters. If MySpace bothered to look up the definition of that function I think they’d have better success in solving their problems. I guess my site isn’t dynamic enough to catch their attention.
Anyway, D8 (in hex) was the character that eyeced used to bypass the newest restrictions that MySpace put in place. It’s funny because I called MySpace out on this last time - if you don’t know how to fix the problem you should probably go figure it out how it works. This is what happens when people don’t follow my advice. They created a kludge on top of a kludge and it took only a matter of hours to find a way around it. Not that many people would know how to do this, but that’s not the point. But if you are as big a target and a presence as MySpace you absolutely must understand how browsers work.
Anyway, great job, eyeced!