Noobz: ** 1/2 LOLz: ********* 0wnz: * 1/2
Due to a lack of Referer checking or other form of validation, an attacker may arbitrarily cause Myspace users to end their sessions.
Ultimately, an attacker needs to get a user to visit the following URL to log off: http://collect.myspace.com/index.cfm?fu
Example tag: A tag such as <img src="http://momby.phpnet.us/myspace/noi
It's important to note that automated log outs are not the only application of CSRFs.
Credit: AwEsOmE AnDrEw reported specifically the .htaccess-enabled attack in order to silently log out users, and earned a pile of extra LOLs thanks to this vector (to read the specific .htaccess syntax provided, see http://momby.phpnet.us/myspace/.htacces