Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace Again
Posted by: eyeced
Date: December 15, 2006 03:28PM

As you may or may not have noticed myspace have patched the hole in found by VWALL (5th december) earlier on today. The original exploit was

<body onload\_="alert('hello')">

which now returns

<body ..="alert(document.cookie)">

which means the xss is no longer an option through this method.

Well this post is rushed, but i was too excited not to, after all i feel i owe something back to this forum. Anyway to the point, after a little playing around with the new filter and the live headers mentioned in a previous post, i soon discovered a way around the current xss filters in myspace.

here goes.

<body onload\Ø="alert(document.cookie)">

This gets returned as <body onload..Ø="alert(document.cookie)"> which still gets parsed properly in firefox as javascript. It seems myspace are blocking any direct links between onload & = at the moment, although my method works at the time of this post.

As far as i know this is 0-day as i found it like 2minutes ago.

Anyway enjoy.

Options: ReplyQuote
Re: Myspace Again
Posted by: maluc
Date: December 15, 2006 04:15PM

great work ^^

myspace's filter is fun to poke around with, because they try to stay as accomodating as possible while being secure. that's a sticky situation..

-maluc

Options: ReplyQuote
Re: Myspace Again
Posted by: Ghozt
Date: December 15, 2006 04:31PM

Does Myspace not fix the profiles that are using the vulnerability? My test profile was still working until I changed the About me section.

Options: ReplyQuote
Re: Myspace Again
Posted by: eyeced
Date: December 15, 2006 05:44PM

Yeah they do im sure, as they fixed maluc's profile without him changing it before, i remember he had the fragmentation on his which wasnt changed when i visited it although it didnt show an alert as it has been patched. Yeah, i was trying some wierd ways around the filter, didnt really expect any to work as it was within the same our the fix came out for the old one, therefor i thought it'd be slightly harder. As far as i know this isnt posted any where else, and i thought due to the help of maluc,ghozt,rsnake,jungsonn and others in my previous post i should share this information here first.

By the way did you manage to get the anti phishing toolbar disabled with the xss in the microsoft domain working maluc? I haven't installed it on this machine yet, ill check a few out from the MSDN later though and get back to you.

Options: ReplyQuote
Re: Myspace Again
Posted by: maluc
Date: December 15, 2006 07:29PM

i havent tested it yet.. been somewhat distracted today figuring out my housing - moving soon .-.

and actually, aside from cleaning out worm remnants - myspace does not clean exploits already put into a profile (it's pretty difficult anyway). But, if you try to update the profile at all.. that xss will be resubmitted.. and this time will be filtered. So if you nevar update your profile, it will always be there ^^

My recommendation is to insert a remote script from a webserver you'll have control of in the future. So if you ever decide to use the hole for something, replace that remote script on your webserver with malware. The reason you saw the one on my profile look neutralized.. is because i updated my profile to put the quicktime hack back in.

-maluc

Options: ReplyQuote
Re: Myspace Again
Posted by: maluc
Date: December 15, 2006 11:51PM

Edit: moved to the thread it should be in.

-maluc



Edited 1 time(s). Last edit at 12/16/2006 12:16AM by maluc.

Options: ReplyQuote
Re: Myspace Again
Posted by: Delixe
Date: December 17, 2006 03:44AM

[nevermind]



Edited 1 time(s). Last edit at 12/17/2006 03:47AM by Delixe.

Options: ReplyQuote


Sorry, only registered users may post in this forum.