Press Embargo until April 10, 2007
Rankings: Noobs: *** LOLs: **** 0wnz: ***
It is possible to break out of the zip parameter the e search form on http://events.myspace.com using simple quote insertion, allowing for somewhat arbitrary HTML. The form is presented here: http://events.myspace.com/index.cfm?fuse
The filtering that is available does limit the usability of this vulnerabilty somewhat; quick manual auditing of script tags, expression attributes, et cetera, reveals that there is little room for manuvering in this attack. The filtering of whitespace makes this vector especially difficult to work with. However, for Firefox, we are able to come up with the below:
This is the code to produce the html:
<FORM name="searchForm" action="http://events.myspace.com/index.cfm?fuseacti on=events&Mytoken=x" method="post"> <INPUT type="hidden" size=100 value='"></div></div><span/ style="position:absolute;top:50px;left:20px;width:800px;background-color:white; "><p><br><h1/align= "center">Win A Date With Tila Tequila!!</h1><div/align="center"> <img/width="300"src="http://www.phun.org/galleries/tila_nguyen_tila_tequila/ tila_nguyen_20.jpg"></span a="' id="eventsearchzip" name="zip" /> <a href=# onClick="document.searchForm.submit()">Click here for awesomeness!</a> </FORM>
The above is wrapped horribly -- the bolded red part is the important bit. A simpler demo is to enter ">0wned! in the zip code input field and notice the phrase reflected outside the feild. But that has far fewer boobies. Also note, since this is a POST action, an attacker would need to construct an HTML form like the one above and entice users to click on it. (Attempts to convert to a GET were fruitless.)
In the above, note the use of the slash character as a word seperator -- while this is valid for Firefox 2.x, this does not work for Internet Explorer. However, in some cases, <TAB&tab; characters will work as whitespace for IE, especially for #text nodes. None of this is to say that it's impossible to exploit for IE users; it's just not particularly easy on the fly. No doubt, your local professional Cyber-Terrorist(tm) already has working code for insertion points such as this.
Credit: rMrGvG of sni-labs first reported this HTML insertion vulnerability. Olé!