As you may or may not have noticed myspace have patched the hole in found by VWALL (5th december) earlier on today. The original exploit was

<body onload\_="alert('hello')">

which now returns

<body ..="alert(document.cookie)">

which means the xss is no longer an option through this method.

Well this post is rushed, but i was too excited not to, after all i feel i owe something back to this forum. Anyway to the point, after a little playing around with the new filter and the live headers mentioned in a previous post, i soon discovered a way around the current xss filters in myspace.

here goes.

<body onload\Ø="alert(document.cookie)">

This gets returned as <body onload..Ø="alert(document.cookie)"> which still gets parsed properly in firefox as javascript. It seems myspace are blocking any direct links between onload & = at the moment, although my method works at the time of this post.

As far as i know this is 0-day as i found it like 2minutes ago.

Anyway enjoy.

great work ^^

myspace's filter is fun to poke around with, because they try to stay as accomodating as possible while being secure. that's a sticky situation..

-maluc

Does Myspace not fix the profiles that are using the vulnerability? My test profile was still working until I changed the About me section.

Yeah they do im sure, as they fixed maluc's profile without him changing it before, i remember he had the fragmentation on his which wasnt changed when i visited it although it didnt show an alert as it has been patched. Yeah, i was trying some wierd ways around the filter, didnt really expect any to work as it was within the same our the fix came out for the old one, therefor i thought it'd be slightly harder. As far as i know this isnt posted any where else, and i thought due to the help of maluc,ghozt,rsnake,jungsonn and others in my previous post i should share this information here first.

By the way did you manage to get the anti phishing toolbar disabled with the xss in the microsoft domain working maluc? I haven't installed it on this machine yet, ill check a few out from the MSDN later though and get back to you.

i havent tested it yet.. been somewhat distracted today figuring out my housing - moving soon .-.

and actually, aside from cleaning out worm remnants - myspace does not clean exploits already put into a profile (it's pretty difficult anyway). But, if you try to update the profile at all.. that xss will be resubmitted.. and this time will be filtered. So if you nevar update your profile, it will always be there ^^

My recommendation is to insert a remote script from a webserver you'll have control of in the future. So if you ever decide to use the hole for something, replace that remote script on your webserver with malware. The reason you saw the one on my profile look neutralized.. is because i updated my profile to put the quicktime hack back in.

-maluc

Edit: moved to the thread it should be in.

-maluc



Edited 1 time(s). Last edit at 12/16/2006 12:16AM by maluc.

[nevermind]



Edited 1 time(s). Last edit at 12/17/2006 03:47AM by Delixe.