Advisory MOMBY-00000100: MySpace XSS (classifieds.searchCategory)
Press Embargo until April 4, 2007
Noobs: ** LOLs: **** 0wnz: *** 1/2
In MOMBY-00000011, we discussed a well-filtered HTML and link insertion in the classifieds.searchCategory on http://classifieds.myspace.com. Let's look again, shall we?
Example url: http://classifieds.myspace.com/index.cfm?f
The bold section is the important bit: style=%22zing:expre%00ssion(. Note the "expression" style function. This is a Microsoft-only device, used mostly for dynamically updating positioning information for HTML elements. While Myspace correctly accounts for, and filters, "expression" functions of style tags, they sadly do not account for "expression" when broken up by URL-encoded nulls.
This allows the full range of XSS attacks against the myspace.com domain, ranging from full browser window hijacking on down through pin-up girl oogling. Note, due to the reliance on expression(), this is an Internet Explorer-only issue. Which is only 90% of the entire Myspace user community. Oh well!
Credit: Wladimir first reported this nifty evasion independent of MOMBY-00000011. It's probably pretty good for other insertion points reported through the MOMBY Institute For the Advancement of the Haxological Arts.