M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout

Advisory MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout
Noobz: ** 1/2
LOLz: *********
0wnz: * 1/2


Due to a lack of Referer checking or other form of validation, an attacker may arbitrarily cause Myspace users to end their sessions.

Ultimately, an attacker needs to get a user to visit the following URL to log off: http://collect.myspace.com/index.cfm?fuseaction=signout. However, due to the lack of origin checking, an attacker may cause a user to visit a link via any browser request, including background requests. Thus, for example, by setting a redirect action as a 404 error, an attacker may embed a non-existent image to trigger the session-ending GET action.

Example tag: A tag such as <img src="http://momby.phpnet.us/myspace/noimageforyou.jpg"> may be embedded throughout user-controlled areas, and may be targeted to particular users through blog comments, messages, etc.

It's important to note that automated log outs are not the only application of CSRFs.

Credit: AwEsOmE AnDrEw reported specifically the .htaccess-enabled attack in order to silently log out users, and earned a pile of extra LOLs thanks to this vector (to read the specific .htaccess syntax provided, see http://momby.phpnet.us/myspace/.htaccess).
Tags: .htaccess, csrf
  • Post a new comment

    Error

    default userpic
  • 24 comments