M.O.M.B.Y! ([info]momby) wrote,
@ 2007-04-10 22:00:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Current mood: artistic
Entry tags:event search, html insertion, kinda lame, tila tequila

MOMBY-00001001: Myspace Events searchForm "zip" HTML insertion
Advisory MOMBY-00001001: Myspace Events searchForm "zip" HTML insertion
Press Embargo until April 10, 2007

Rankings:

Noobs: ***
 LOLs: ****
 0wnz: ***

It is possible to break out of the zip parameter the e search form on http://events.myspace.com using simple quote insertion, allowing for somewhat arbitrary HTML. The form is presented here: http://events.myspace.com/index.cfm?fuseaction=events&Mytoken=x.

The filtering that is available does limit the usability of this vulnerabilty somewhat; quick manual auditing of script tags, expression attributes, et cetera, reveals that there is little room for manuvering in this attack. The filtering of whitespace makes this vector especially difficult to work with. However, for Firefox, we are able to come up with the below:

Screenshot: http://pics.livejournal.com/momby/pic/0000btbr

This is the code to produce the html: 

<FORM name="searchForm" action="http://events.myspace.com/index.cfm?fuseacti
on=events&Mytoken=x" method="post">
 <INPUT type="hidden" size=100 value='"></div></div><span/
style="position:absolute;top:50px;left:20px;width:800px;background-color:white;
"><p><br><h1/align=
"center">Win	A	Date	With	Tila	Tequila!!</h1><div/align="center">
<img/width="300"src="http://www.phun.org/galleries/tila_nguyen_tila_tequila/
tila_nguyen_20.jpg"></span	a="' id="eventsearchzip" name="zip" /> <a
href=# onClick="document.searchForm.submit()">Click here for awesomeness!</a>
</FORM>

The above is wrapped horribly -- the bolded red part is the important bit. A simpler demo is to enter ">0wned! in the zip code input field and notice the phrase reflected outside the feild. But that has far fewer boobies. Also note, since this is a POST action, an attacker would need to construct an HTML form like the one above and entice users to click on it. (Attempts to convert to a GET were fruitless.)

In the above, note the use of the slash character as a word seperator -- while this is valid for Firefox 2.x, this does not work for Internet Explorer. However, in some cases, <TAB&tab; characters will work as whitespace for IE, especially for #text nodes. None of this is to say that it's impossible to exploit for IE users; it's just not particularly easy on the fly. No doubt, your local professional Cyber-Terrorist(tm) already has working code for insertion points such as this.

Credit: rMrGvG of sni-labs first reported this HTML insertion vulnerability. Olé!


(Post a new comment)

by the way..
[info]momby
2007-04-11 03:51 am UTC (link)
Did I mention, nsfw?

(Reply to this) (Thread)
Re: by the way..
(Anonymous)
2007-04-11 11:10 pm UTC (link)
No, you didn't and I read this at school lol... Fucking teacher was right behind me. Luckily she didnt see anything.

(Reply to this) (Parent)

(Anonymous)
2007-04-11 03:55 am UTC (link)
How would you execute such a script? Do you paste it in your myspace profile or host it on your own server?



(Reply to this)


[info]Владимир Палант [xpoint.ru]
2007-04-11 11:03 am UTC (link)
Yet another place where they filter HTML instead of escaping HTML entities correctly. It's a pity, they seem to have fixed the filter evasion from MOMBY-00000100, otherwise that would have been an XSS.

Here is a form that will work in both Internet Explorer and Firefox (and even if you don't block MySpace ads): http://pastebin.ca/434319
Yet phun.org seems to dislike you hotlinking to them - the image is no longer served with a MySpace referrer header.

(Reply to this) (Thread)

[info]Владимир Палант [xpoint.ru]
2007-04-11 11:18 am UTC (link)
Ok, maybe they didn't fix this filter evasion - it is just impossible to make Internet Explorer submit a form with a NUL character.

(Reply to this) (Parent)(Thread)

(Anonymous)
2007-04-11 03:13 pm UTC (link)
Vladimir.

They fixed that filter evasion method (which you suggested for MOMBY-00000100), like I already said.

MySpace improved their filters system and already replaced expression-code with ".." - as they always do in their filters. I tested this MOMBY-00001001 hole a lot today.

And I tell you (and everyone) that it is possible to submit a form with a null character in Internet Explorer (like Mozilla and FF, but in IE it is important for expression-method of filter evasion). I have my own hacky-techniques to do this :-) (there are some methods for such thing).

If anyone want to have a PoC with null character or want to ask me to make exploit (for MySpace or any other) or want to ask me to teach of making null chars fell free to contact me. For small fee I'll help you with nulls ;-) (don't worry, it is small fee for my time-wasting, so no need to be Bill Gates). Also everyone can learn in hacking a little more (or try googling) to gain this knowledge by yourself. It is really simple.

Best wishes & regards,
MustLive

(Reply to this) (Parent)(Thread)

[info]brendatobil
2008-07-16 06:00 am UTC (link)
Then a small startup studio needed my skills so I joined up with them, and then I followed one of their former employees on to a large studio owned by Infogrames/Atari.

(Reply to this) (Parent)

[info]mariannagajeh
2008-07-16 06:41 pm UTC (link)
Then a small startup studio needed my skills so I joined up with them, and then I followed one of their former employees on to a large studio owned by Infogrames/Atari.

(Reply to this) (Parent)
HTML filtering
(Anonymous)
2007-04-11 02:55 pm UTC (link)
Vladimir.

They fixed that filter evasion method (from MOMBY-00000100). MySpace filters are replacing main XSS code with ".." (as they always do).

But don't worry guys. I have my own hackers-workaround method ;-). Just wait a little and I'll show you. Дождитесь ребята и узнаете о моей методике обхода фильтров.

Best wishes & regards,
MustLive

(Reply to this) (Parent)(Thread)
Re: HTML filtering
[info]momby
2007-04-11 06:10 pm UTC (link)
I can confirm MustLive's evasion. It's real and works like a champ for IE and Firefox both. Now everyone paypal him a dollar or ruble or whatever the hell he takes as currency so he'll let MOMBY disclose it.

(Reply to this) (Parent)(Thread)
Re: HTML filtering
(Anonymous)
2007-04-11 09:22 pm UTC (link)
Yes, UA Gryvnas and US Dollars are welcome. You may send it to my WebMoney U and Z wallets :-).

$1 (5 UAG) per 1 null char will be nice price. And if Bill Gates will want to buy some null chars from me, I can offer him a file with 1 million null chars (or more if he want) :-). And then he will (possibly) hack 1 million web site with them.

As I said, it is easy to make null chars for POST submitting (in different browsers). So Vladimir amused me a little (gave some fun mood to me) with his statement, and so it is possible to POST a form with null chars from browsers.

In this case, like I said, MySpace are filtering null chars, so another method need to be used to hack MySpace.

Best wishes & regards,
MustLive

(Reply to this) (Parent)

(Reply from suspended user)

[info]julielihet
2008-07-17 02:47 am UTC (link)
I plan to modify the documentation to allow Javacript clients to not set the User-Agent header; in any event they will usually have a Referer header which serves the same purpose.

(Reply to this) (Parent)
MOMBY-00001001
(Anonymous)
2007-04-11 02:04 pm UTC (link)
The picture don't work more (phun.org not allowing more to direct link from their site). So I make new version, with working picture (yes, nice pic with catana :-) ).

Here is the code:


Click here for awesomeness! (#)


Also I tell you that code which Mondo Armando and Müstaschio published work in both of my Mozilla and IE, so it is cross-browser code.

And it is just HTML Injection.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

(Reply to this) (Thread)
Re: MOMBY-00001001
(Anonymous)
2007-04-11 02:47 pm UTC (link)
Yes, LJ removed html-code :-).

I used http://i12.photobucket.com/albums/a206/Cide_FX/Tila/TilaTequila.jpg image in the new version of the PoC code.

And I'll send Mondo Armando new version by email.

Best wishes & regards,
MustLive

(Reply to this) (Parent)(Thread)
Re: MOMBY-00001001
(Anonymous)
2007-04-11 11:04 pm UTC (link)
The code works, but after you copy and paste it in Notepad or whatever you use to put in HTML code, you need to make a couple of modifications.

<img/width="300"src="http://www.phun.org/galleries/tila_nguyen_tila_tequila/></span> <a First, add a space between "300" and src=" and erase a space between tila_nguyen_tila_tequila/ and tila_nguyen_20.jpg" and it should work.

(Reply to this) (Parent)
Myspace Events searchForm "zip" HTML insertion
(Anonymous)
2007-04-11 03:28 pm UTC (link)
So, guys, what we have.

It is just simple HTML Injection. Like I told in comments for other MOMBY bug - the project need more real holes, real XSS. No lame HTML Injection (or as minimum as possible), but more real XSS.

In this bug, as I said before, we have filtration form MySpave of every xss inclusion our there (including expression method which was used in MOMBY-00000100). So we have only HTML Injection.

Do you sure in that? :-) Like I told you before, I have my own method of filter evasion so there is XSS possibility in this hole. I'll send info for Mondo Armando soon.

(Reply to this)

side effects of xanax
(Anonymous)
2008-02-04 03:35 pm UTC (link)
Technology of xanax manufacturing.
News and information about xanax.
xanax alprazolam
tranqualizers xanax


xanax for sale
generic xanax

xanax alprazolam
generic xanax
buy xanax on line

(Reply to this)

illegal xanax bar
(Anonymous)
2008-02-09 11:40 am UTC (link)
Different kinds of xanax.
xanax with delivery.
order xanax
xanax overnight


xanax for sale
xanax online

xanax overdose
xanax 2 mg
xanax withdrawal

(Reply to this)

buy cheap xanax
(Anonymous)
2008-02-09 02:01 pm UTC (link)
The most efficient xanax.
News and information about xanax.
xanax withdrawal
xanax bar


purchase xanax
buy xanax on line

side effects of xanax
cheap xanax
withdrawing off xanax

(Reply to this)

sdfgrtherfgwefyuty
(Anonymous)
2008-06-14 06:16 am UTC (link)
sdfgdfgdfgdfgdfgdsfasdff
fghfhfjfjfgh
asdasfsdfsdfsdfsdfhfgjhf

gyjfurty

(Reply to this)

rgrweruy
(Anonymous)
2008-06-20 04:03 am UTC (link)
rtyrtyerwerqwet
eryhryuretgwer
sryjrtwertgrteye

(Reply to this)

Question
(Anonymous)
2008-10-02 03:10 am UTC (link)
How i may contact admin this site? I have a question.
iijiivei

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…