M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

  • Mood:

MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS

Advisory MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS
Press Embargo until April 9, 2007

Rankings:

Noobs: **
 LOLs: *******
 0wnz: *****

A cross-site scripting vulnerability exists in the "index.cfm?fuseaction" web application on Myspace.com. Fuseaction is the main navigation application, common to nearly all aspects of the *.myspace.com domain. This XSS vector is good for all tested areas of Myspace. The problem occurs due to a lack of quote-termination sanitation on the URL, which is subsequently represented to the user.

This vulnerability ranks two "Noobs" due to the complexity of the underlying reponse -- the XSS insertion point is not immediately obvious in the HTTP responses generated when inspecting the transactions using simple web code auditing techniques using FireBug and TamperData. Note, these are both excellent tools for discovering low-hanging XSS fruit -- just not this one.

Sample link: http://www.myspace.com/index.cfm?fuseaction=splash&schoolID=test'/onload='alert(document.location)

(Works for both IE and Firefox)

Screenshot: http://pics.livejournal.com/momby/pic/0000abhy

Credit: Wladimir first reported this vulnerability. He is also smarter than MOMBY, and provided several other vectors and implementations of this bug, but not much in the way of discovery methodology or background. Hopefully he (or someone else more familiar with the vulnerability) will explain the details a little better in the comments section of this advisory.

Tags: event handler, fuseaction, xss
  • Post a new comment

    Error

    default userpic
  • 31 comments