Cenzic 232 Patent
Paid Advertising
web application security lab

Another 0-Day in MySpace

Today eyeced found that MySpace fixed the most recent non-alpha-non-digit 0-day XSS hole in MySpace, but they did so poorly. That’s right, they haven’t fixed the hole at all. I get the feeling they really aren’t understanding the problem, because this is the third time they’ve tried to fix this and the third time they’ve left a hole there. non-alpha-non-digit means exactly that. I doesn’t mean some characters, it means _ANY_ non-alpha-non-digit characters. If MySpace bothered to look up the definition of that function I think they’d have better success in solving their problems. I guess my site isn’t dynamic enough to catch their attention. ;)

Anyway, D8 (in hex) was the character that eyeced used to bypass the newest restrictions that MySpace put in place. It’s funny because I called MySpace out on this last time - if you don’t know how to fix the problem you should probably go figure it out how it works. This is what happens when people don’t follow my advice. They created a kludge on top of a kludge and it took only a matter of hours to find a way around it. Not that many people would know how to do this, but that’s not the point. But if you are as big a target and a presence as MySpace you absolutely must understand how browsers work.

Anyway, great job, eyeced!

5 Responses to “Another 0-Day in MySpace”

  1. Another 0-Day in MySpace of Myspace Html Codes Blog Says:

    […] Original post by RSnake for Myspace News Another 0-Day in MySpace […]

  2. v-wall Says:

    They really are not haveing much luck with filling in the holes, even when people try an help them. Id take a trip back to MySpace to have another play, but seems my test account wont let me log in. hmmm. lol

    Anyway congrats goes out to eyeced for the find. Well done dude.

  3. richard Says:

    please tell me if you can hack myspace passwords email me at rmaxwell770@yahoo.com

  4. ha.ckers.org web application security lab - Archive » MySpace 0-Day Again (Again) Says:

    […] I laughed out loud when I read this. Kuza55 found another issue in MySpace again today using the exact same exploit that we have been trying to get them to close FOUR separate times now. Click here to read about the XSS hole last time if you don’t recall what I’m talking about. […]

  5. metacym Says:

    LOL @ ^ that last commet!