M.O.M.B.Y! ([info]momby) wrote,
@ 2007-04-09 20:13:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Current mood: contemplative
Entry tags:event handler, fuseaction, xss

MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS

Advisory MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS
Press Embargo until April 9, 2007

Rankings: 

Noobs: **
 LOLs: *******
 0wnz: *****

A cross-site scripting vulnerability exists in the "index.cfm?fuseaction" web application on Myspace.com. Fuseaction is the main navigation application, common to nearly all aspects of the *.myspace.com domain. This XSS vector is good for all tested areas of Myspace. The problem occurs due to a lack of quote-termination sanitation on the URL, which is subsequently represented to the user.

This vulnerability ranks two "Noobs" due to the complexity of the underlying reponse -- the XSS insertion point is not immediately obvious in the HTTP responses generated when inspecting the transactions using simple web code auditing techniques using FireBug and TamperData. Note, these are both excellent tools for discovering low-hanging XSS fruit -- just not this one.

Sample link: http://www.myspace.com/index.cfm?fuseaction=splash&schoolID=test'/onload='alert(document.location)

(Works for both IE and Firefox)

Screenshot: http://pics.livejournal.com/momby/pic/0000abhy

Credit: Wladimir first reported this vulnerability. He is also smarter than MOMBY, and provided several other vectors and implementations of this bug, but not much in the way of discovery methodology or background. Hopefully he (or someone else more familiar with the vulnerability) will explain the details a little better in the comments section of this advisory.


(Post a new comment)


(Anonymous)
2007-04-10 01:28 am UTC (link)
uhmmm, the link doesn't exactly work, could one of my extensions be breaking it?


or have they ALREADY patched this?

(Reply to this) (Thread)
It Works
(Anonymous)
2007-04-10 01:31 am UTC (link)
I just tried it, and it works.

(Reply to this) (Parent)(Thread)
Re: It Works
(Anonymous)
2007-04-10 02:16 am UTC (link)
Very powerful exploit

Im sure you can modify it in some way it load javascript

(Reply to this) (Parent)(Thread)
Re: It Works
(Anonymous)
2007-04-10 03:32 am UTC (link)
lol. wouldn't we all agree that the "alert" function of javascript is indeed javascript? XD

-AceldamA

(Reply to this) (Parent)
Re: It Works
(Anonymous)
2007-04-10 04:48 am UTC (link)
well thanks for being cool enough to share, momby!
i still love your blog idea and it's sweet for learning about security!
=]

(Reply to this) (Parent)(Thread)

[info]raynejanyp
2008-07-17 01:27 am UTC (link)
Posted by: Sara at July AM Love your blog, love your wit, and love your love of the fur friends.

(Reply to this) (Parent)

(Reply from suspended user)
not working
(Anonymous)
2007-04-10 03:00 am UTC (link)
Dang. NOt working with FF 2.003

(Reply to this) (Thread)
Re: not working
(Anonymous)
2007-04-10 03:10 am UTC (link)
works fine in firefox 2.0.0.3 for me, and IE.. but not in Opera

(Reply to this) (Parent)
Re: not working
[info]Владимир Палант [xpoint.ru]
2007-04-10 11:26 am UTC (link)
See my explanation below - this didn't work for people blocking ads.

(Reply to this) (Parent)(Thread)

(Reply from suspended user)

(Anonymous)
2007-04-10 03:16 am UTC (link)
Firefox 2.0.0.3 On A Mac with Greasemonkey, Firebug, and AdBlock Plus installed. Disabled all extensions, and still doesn't work.

(Reply to this) (Thread)
works on IE
(Anonymous)
2007-04-10 03:52 am UTC (link)
works on IE..which is all that matters cause 90% of myspace users have IE

(Reply to this) (Parent)(Thread)
Re: works on IE
(Anonymous)
2007-04-10 03:56 am UTC (link)
I am using IE 6 and I can't seem to get it to work. I can't see anything in the page source that would indicate it would work in any way. What is it I am missing?

(Reply to this) (Parent)(Thread)
Re: works on IE
(Anonymous)
2007-04-10 04:02 am UTC (link)
I agree. This is not working for IE or Firefox. It is either patched or that URL has a typo. I'm assuming it's patched.

(Reply to this) (Parent)(Thread)
Re: works on IE
(Anonymous)
2007-04-10 04:18 am UTC (link)
Not working

people at myspace must be reading this

(Reply to this) (Parent)(Thread)
Re: works on IE
(Anonymous)
2007-04-10 04:20 am UTC (link)
It's definitely patched, it worked earlier for me. Damn guys, stop. Do you actually care about that site?

(Reply to this) (Parent)(Thread)
Re: works on IE
[info]momby
2007-04-10 05:04 am UTC (link)
It's probably wise to assume that once the disclosure here is made, the viability of any exploit using the particular technique is going to be compromised. Please keep that in mind when noticing something doesn't work as advertised.

Note, other fuseaction parameters were vulnerable; "schoolID" was the one disclosed (and demo'ed in the screenshot), but "special" and "videoid" also worked. The original reporter pointed these out, but we were curious if a fix would center around just "schoolID." It wasn't; looks like Fox Interactive is now filtering the whole fuseaction application. So good for you, Myspace!

(Reply to this) (Parent)
Re: works on IE
(Anonymous)
2007-04-10 04:30 am UTC (link)
myspace is reading. there's no way in hell they just happened to find it on their own that fast.

(Reply to this) (Parent)(Thread)
Re: works on IE
(Anonymous)
2007-04-10 05:35 am UTC (link)
obviously they are, they would be fools if they didn't
:)

(Reply to this) (Parent)
Re: works on IE
(Anonymous)
2007-04-10 05:37 am UTC (link)
wow arn't u just the smart cookie...
i mean the month of bug's has only been advertised on the biggest online news publications.

(Reply to this) (Parent)

(Reply from suspended user)
no work =[
(Anonymous)
2007-04-10 06:51 am UTC (link)
the exploit does not work anymore... patched already O_O

- Synthetic

(Reply to this) (Thread)
Re: no work =[
(Anonymous)
2007-04-10 07:43 am UTC (link)
There are still 20 more bugs to be found ...

(Reply to this) (Parent)

[info]Владимир Палант [xpoint.ru]
2007-04-10 11:19 am UTC (link)
Discovering this vulnerability: simply looking at the scripts loaded by MySpace and checking where and how they use window.location, document.URL and document.referer. In many cases they use it very carelessly, generate HTML code from parts of it without proper escaping and put it into the the document with document.write(). That makes it of course possible to inject HTML code.

Background: This vulnerability is in MySpace's ad serving scripts which explains why some people could not reproduce it - thanks for using my Adblock Plus extension :). In particular, you have to look at function oas_ad() in http://x.myspace.com/js/myspaceJS032.js. It will call QueryString('schoolID') to get the value of the schoolID parameter and then write an ad frame into the document, schoolID being one of the parameters passed to the ad script. They fixed it now by escaping the return value of QueryString().

(Reply to this) (Thread)
Adblock Plus
(Anonymous)
2007-04-10 10:20 pm UTC (link)
I freakin' love your extension. Keep up the good work.

(Reply to this) (Parent)

(Anonymous)
2007-04-11 12:47 am UTC (link)
pity. i really loved this exploit. 'twas a really good find, so well done on that.

-AceldamA

(Reply to this) (Parent)

(Anonymous)
2007-04-10 04:52 pm UTC (link)
No working on Safari.

(Reply to this) (Thread)

[info]Владимир Палант [xpoint.ru]
2007-04-10 05:19 pm UTC (link)
See above - this has been patched shortly after the advisory was published. Anyway, this particular exploit depends on browser quirks, so maybe it never worked in Safari. Which doesn't mean that Safari is "immune", the code simply needs to be adapted (e.g. for Opera you have to leave out the slash before onload).

(Reply to this) (Parent)
MOMBY-00001000
(Anonymous)
2007-04-11 06:10 pm UTC (link)
This hole was nice, because it was XSS, not just HTML Injection.

But like in some previous cases (with MOMBY's holes), MySpace fixed it very fast. Even to much fast - because when I came to the MOMBY site and read about this 8th vulnerability, it was already fixed. So I have no time to look at working hole.

And for this reason (because it is not nice), I recommend MySpace to not hurry up too much to fix every hole posted here. But to give people some more time to look at working holes ;-). MySpace guys need to respect web security community and need to take into account that we all live in different Time Zones. So it will be nice to give some hours for holes' life.

Best wishes & regards,
MustLive

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…