momby: MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout

M.O.M.B.Y! (

momby) wrote,
@ 2007-04-23 19:44:00

Current location:	back on the bitchy ol internet
Current mood:	awake
Current music:	the whining of our readers
Entry tags:	.htaccess, csrf

MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout
Advisory MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout

Noobz: ** 1/2
LOLz: *********
0wnz: * 1/2

Due to a lack of Referer checking or other form of validation, an attacker may arbitrarily cause Myspace users to end their sessions.

Ultimately, an attacker needs to get a user to visit the following URL to log off: http://collect.myspace.com/index.cfm?fuseaction=signout. However, due to the lack of origin checking, an attacker may cause a user to visit a link via any browser request, including background requests. Thus, for example, by setting a redirect action as a 404 error, an attacker may embed a non-existent image to trigger the session-ending GET action.

Example tag: A tag such as <img src="http://momby.phpnet.us/myspace/noimageforyou.jpg"> may be embedded throughout user-controlled areas, and may be targeted to particular users through blog comments, messages, etc.

It's important to note that automated log outs are not the only application of CSRFs.

Credit: AwEsOmE AnDrEw reported specifically the .htaccess-enabled attack in order to silently log out users, and earned a pile of extra LOLs thanks to this vector (to read the specific .htaccess syntax provided, see http://momby.phpnet.us/myspace/.htaccess).

(Post a new comment)

	(Anonymous) 2007-04-24 01:16 am UTC (link)
	LOL @ current music... (Reply to this)

	. (Anonymous) 2007-04-24 02:00 am UTC (link)
	no working example? (Reply to this) (Thread)

	Re: . (Anonymous) 2007-04-24 06:02 am UTC (link)
	Although perhaps a bad design, as this works as it is intended to work, it's not a bug. MustLive has posted probably the best real bug. At least have the balls to admit you have no clue what you are doing. You guys don’t even know how half the bugs you post even work! You should rename this to MOMSKUNT; Month of Miserable Script Kiddies Using No Talent. (Reply to this) (Parent)(Thread)

	Re: . (Anonymous) 2007-04-24 07:26 am UTC (link)
	You're right. It's not a bug. It's a CSRF vulnerability. There's probably a shitload of places that a GET request can cause some function to trigger, but most of us don't even actually use MySpace so get the fuck over yourself. (Reply to this) (Parent)(Thread)

	Re: . (Anonymous) 2007-04-24 08:01 am UTC (link)
	Go fuck your MOMSKUNT! lol (Reply to this) (Parent)(Thread)

	Re: . (Anonymous) 2008-08-11 01:52 pm UTC (link)
	Way to go , tell them no good son's of bitches.. This is absurb on trying to attack peoples my space log in what a cheap shot, try hacking into something worth while weirdos. lol (Reply to this) (Parent)(Thread)

(Reply from suspended user)

	Re: .punks (Anonymous) 2008-08-11 01:53 pm UTC (link)
	Way to go , tell them no good son's of bitches.. This is absurb on trying to attack peoples my space log in what a cheap shot, try hacking into something worth while weirdos. lol (Reply to this) (Parent)

	Yeah... (Anonymous) 2007-04-24 11:19 am UTC (link)
	REALLY old, really obvious, and really lame. Good job momby. In one month, you've delivered at most 2 useful bugs. We know you have the good bugs. Why won't you release them? Perhaps you don't want the best ones to be public, so you can exploit them for yourself? (Reply to this) (Thread)

	Re: Yeah... (Anonymous) 2007-04-24 11:31 pm UTC (link)
	What are these good bugs you speak of? You mean the r3v3rs3 b1nd sh3ll k3rn3l st4ck b4s3d r3m0t3 mysp4c3 r00t????? I want it too!!!1 And what about a myspace auto-pwner? (Reply to this) (Parent)

	leacyxip 2008-07-17 02:05 pm UTC (link)
	If you really need life energy you can use mine, you know. Mom: Don't be absurd. You're the only human left in this world. (Reply to this) (Parent)

	(Anonymous) 2007-04-24 04:07 pm UTC (link)
	Is it just me or does this not even work?? I tried it in IE and in Firefox and neither are affected unless i explicitly open the image. (Reply to this) (Thread)

	rennadurep 2008-07-16 05:49 am UTC (link)
	-- ais 20 November ( U T C ) It does not work for me neither in IE nor in Firefox. Anyway, my original idea was not to adjust it for only myself by employing such a complicated technical trick, but to make Wikipedia pleasant for all, including the short sighted and the elderly with weaker sight. (Reply to this) (Parent)(Thread)

	karinefoja 2008-07-16 05:30 pm UTC (link)
	They're not going to make me do that. " But they did. Chi-Style Drunksaling: Vol. 4. 2 - It pays to ask. (Reply to this) (Parent)

	Listen Up (Anonymous) 2007-04-24 05:11 pm UTC (link)
	ok listen ... on Sat april 28 its my b-day... i been waiting ... for you guys to release a nice/killer bug on my d-bay... but its been two weekends without you guys posting anything on weekends so please... MTV pimp my ride... oh shit .. what im saying... please guys make my day .. :) http://myspaceunofficialhelp.com MySquares (Reply to this) (Thread)

	Re: Listen Up (Anonymous) 2007-04-24 09:51 pm UTC (link)
	Yes guys, make MySquares' day. Publish a nice vulnerability at his birthday. Make all last days :-). Best wishes & regards, MustLive (Reply to this) (Parent)(Thread)

	Re: Listen Up manincowboysuit 2007-04-25 12:16 am UTC (link)
	I agree! And I don't count! Because I don't have a super-secret hacker identity! I'm just Phillip! (Reply to this) (Parent)

MOMBY-00010000
(Anonymous)
2007-04-24 10:11 pm UTC (link)

Not bad. It is nice CSRF hole, and there are many such simple CSRF vulnerabilities at MySpace.

Yes it small, old, obvious and common hole, it is generic hole of Internet itself. But it is a hole in any case. And CRSF is normal for every web site, and in some cases may be used for bad purposes. Like signout trick and many other stuff.

So it is needs to make site secure from CSRF and it is hard task. Guys, don't underestimate the CSRF, because it is a security issue. This example is simple, but in other cases with complex scenarios (like CSRF + XSS) it can be more dangerous. Just look at previous POST XSS bugs at MOMBY.

P.S.

There are many other places for such CSRF Signout trick.

Put url with your csrf-image.jpg in Blog->Customize Blog->Background Image and you will get some fun with your visitors :-) (and even get some feedback from them).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

(Reply to this) (Thread)

	Re: MOMBY-00010000 (Anonymous) 2007-04-24 10:28 pm UTC (link)
	Or guys, you can make such CSRF Signout trick with this URL: http://tinyurl.com/fwzbm It is TinyURL CSRF Invasion technique ;-). Use it in any tag which allow MySpace or even in anchor tag as url. Best wishes & regards, MustLive (Reply to this) (Parent)

	Re: MOMBY-00010000 (Anonymous) 2007-04-24 10:41 pm UTC (link)
	MySpace are filtering tinyurl.com in fields in Customize My Blog. They are afraid of tinyurl :-). Best wishes & regards, MustLive (Reply to this) (Parent)

Re: MOMBY-00010000
(Anonymous)
2007-04-25 03:12 pm UTC (link)

Another versions of CSRF Signout trick with these URLs:

http://elfurl.com/oqzhs

http://www.hugeurl.com/?NWQyOGE2OWVjNTk2OTA4ODFhMWRiNDQzNmY0
YTE4NTMmMTAmVm0wd2QyVkhVWGhUV0docFVtMVNXVll3WkRSV1ZsbDNXa2M1
V0ZKc2JETlhhMXBQVmxVeFYyTkljRmhoTWsweFZtcEtTMU5IVmtkWGJGcHBW
MFpHTTFacVFtRlRNazE1VTJ0V1ZXSklRbGhXYlhoM1ZWWmFkRTFZY0d4U2JH
dzFWa2QwYTFkSFNrZGpTRUpYVFVkU2RscFdXbUZqYkZaeVdrWndWMDFFUlRC
V01uUnZVakZXZEZOcmJGSmlWR3hXVm0weGIxSkdiSEZTYlhSWVVqRktTVlZ0
ZUhkV01ERkZWbGhrVjJFeVVYZFdha1pYWkVaT2NtRkdXbWxTYTNCdlZtMXdU
Mkl5UmtkaVNFWlRZbGhTV0ZSV1pGTk5SbFowWlVaT2FGWnNjSHBaYWs1clZq
RmFObEpZWkZwbGExcG9WakJhVDJOdFJraGhSazVwVmpKb1dWWXhaREJaVmsx
NFdrVmtXR0pyY0ZsWmJHaFRZMVpzY2xwR1RrNVNia0pIVmpKNFQxWlhTa2Rp
UkZKV1RXNW9NMVpxUm1GU2JVbDZXa1p3YkdFelFrbFhXSEJIVkRGa1dGUnJa
RlJpVjNoVVdWUk9RMWRHV25STlZGSmFWakZHTTFSVmFHOWhiRXB6WTBac1dt
RXlhRVJaZWtaaFkxWktkRkpzVGs1V2EzQTJWbTE0VTFJeFdYZE5WVlpUWVRK
b1lWbFhjekZqYkZweFVtMUdVMkpIVWpGV01uaDNZa2RGZUdOR1ZsaFhTRUpJ
VmtSR2ExZEdVbkpoUjJoVFlYcFdXVlpYY0U5aU1rbDRWMjVTVGxaRlNsaFVW
bVEwVmpGU1ZtRkhPV2hpUlhCWVZqSjRVMWR0U2xsVVdHaGFUVzVvV0ZsNlJs
ZGpiSEJIWVVaT2FWTkZTa3RXYTFwaFlqRlJlRmR1U2s1V1ZscFVXV3RrYjFs
V1VsWlhiVVpvVW14d2VGVnRkSGRpUjBwV1YydHdWazFxUmtoV1ZFWkxWakpP
UlZkc1pHaGhNSEJ2Vm10U1MxUnRWa2RhU0ZaVllrWktjRlpxVG05a2JHUnpX
a1JTV2xadFVraFdNalZUVkd4YVJsTnNhRlZXYkZZMFZHeGFWMlJIVWtoa1Iy
aFhZWHBXU0ZaSGVHdGlNVnAwVTJ4c1ZWZEhhRmhVVmxwM1lVWndSbHBHWkZO
aVZrcEhWR3hhVDJGWFJYZGpSbXhYWWxoQ1MxUldaRVpsUm1SWldrVTFWMVpz
Y0ZWWFZsSkhaREZrUjFkdVJsVmhNRFZYVlcxNGMwMHhXWGxOVldSb1lYcEdl
VlJzVm5kV2JVcFpZVVpvV2xac2NFdGFWVnBQWXpGYWMxcEhiRmRTVld0M1Zt
MTBVMUl4VG5SV2EyUmhVMFphVmxsclpGTmpSbHB4VTIwNVZsSnNjREJVVlZK
SFZXc3hSVlpyYUZkTmFsWk1WakJrUzFkV1JuVlViRnBwVW10d1dWWlVSbUZa
Vm1SSVZtdG9hMUl5YUZoWldIQlhVMVphVlZOdWNFOVdiSEF3Vld4b2IyRnNT
WGxoUm1oV1lURmFhRmxWV25KbFJtUnlaRWR3YVZacmNFbFdWRXA2VFZaWmVW
TnJiRkpoTTBKWVdXeG9iMkZHYkhGVGExcHNVbXh3ZWxkcldtdGhWa3B6WTBa
Q1YxWXpVbkphVjNNMVZXeENWVTFFTUQwPQ==

It is new version of well-known TinyURL CSRF Invasion technique: elfURL CSRF Invasion and HugeURL CSRF Invasion techniques.

Best wishes & regards,
MustLive

(Reply to this) (Parent)(Thread)

	Re: MOMBY-00010000 (Anonymous) 2007-10-27 07:48 pm UTC (link)
	how do u get rid of this bug if someone sends it to u? (Reply to this) (Parent)

	Hola mardena (Anonymous) 2007-07-31 07:47 am UTC (link)
	Hola mardena! falikotrepat (Reply to this)

	(Anonymous) 2007-10-27 07:50 pm UTC (link)
	how do u get rid of the bug if someone sent it to u? (Reply to this)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs