Cenzic 232 Patent
Paid Advertising
web application security lab

MySpace 0-Day Again (Again)

I laughed out loud when I read this. Kuza55 found another issue in MySpace again today using the exact same exploit that we have been trying to get them to close FOUR separate times now. Click here to read about the XSS hole last time if you don’t recall what I’m talking about.

Anyway, this is the exact same non-alpha-non-digit issue that they have faced numerous times before. Only this time they got exploited through a different issue they caused for themselves. Remember how I’ve said a number of times don’t strip content unless you really know what you’re doing? Well they don’t really know what they are doing (if you aren’t using a while loop you are already in trouble). In this case, they stripped out moz-binding (the Firefox CSS issue) and replaced it with “..”. Wellll if you make your vector look like onloadmoz-binding= and it gets replaced with “..” you get onload..= which still works in Firefox.

Kuza55 said it best… you really have to wonder what these MySpace developers are thinking right about now. Anyway, this is why you should never ever strip or change HTML input unless you know how HTML works in different browsers, lest you get hit with the same issue 4 times. Nice job Kuza55!

5 Responses to “MySpace 0-Day Again (Again)”

  1. Sylvan von Stuppe Says:

    I hope that folks understand that MySpace’s problems ought to be somewhat unique. MySpace deliberately allows users to add arbitrary markup to their sites. Most applications don’t need to allow users to add arbitrary markup, and so would be safe by doing output filtering in addition to the existing input validation and explicit charset encoding.

  2. Birdie Says:

    It’s weird no one exploits these new flaws and make more worms, don’t you think?

  3. WhiteAcid Says:

    I wouldn’t say it’s unique, though maybe near unique to web community sites. Orkut could have a flaw very much like this. There’s bound to be other sites out there or that are currently in developmeny. I have to admit that myspace-like sites aren’t something I keep an eye on.

  4. RSnake Says:

    While they are somewhat unique in what they allow, I would hardly say they are unique entirely. Many companies have the desire to allow more complex/rich content. Users demand it. Ultimately this problem will affect many companies, and if they don’t learn from MySpace’s mistakes they are bound to create their own.

  5. Jungsonn Says:

    Hilarious stuff. ^_^ ROFL! wax nose security.

    Man…, it so easy to filter out that vector. They only have to append a blacklist of known and illegal words like: ‘onload’ before entering it into there db, which no-one needs in a profile, and who allows users to output unescaped javascript?!?

    i go pop a beer, and chuckle on. ^_^