M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

Advisory MOMBY-00001100: Clickable "returnPath" XSS

Advisory MOMBY-00001100: Clickable "returnPath" XSS
Press Embargo until April 16, 2007
Rankings:

Noobs: ****
 LOLs: **
 0wnz: **

A pretty straight-forward XSS advisory for today. By supplying a user-defined value to the returnPath variable of the messageboard.posted application, attackers may supply a clickable javascript (or apparently any other protocol handler) URI.

The challenge is to make this useful for an attacker. This would likely involve some measure of social engineering to convince the victim to actually click on the "Back to Forum" link. Alternatively, an attacker could take advantage of an origin violation browser bug to automatically click on the link on the user's behalf.

Example link: http://forum.myspace.com/index.cfm?fuseaction=messageboard.posted
&returnPath=javascript:alert('aw%20yeah%20thx%Synthetic!');
(tiny)

Unlike most of our other XSS advisories, this link will only work correctly if the victim is already logged in; thus, a cookie-stealing attack, in this case, is guaranteed to have immediately usable results.

Screenshot: http://pics.livejournal.com/momby/pic/0000d19t

Credit: Synthetic, who upon reflection has decided that listing a Myspace page as a contact point in a Myspace security advisory may not have been the wisest decision.

Tags: clickable, xss
  • Post a new comment

    Error

    default userpic
  • 11 comments