MOMBY-00010001: Clickable "numberPagesBack" XSS

Noobz: ****
LOLz: **
0wnz: **

The action handler for the "Email Customer Service" form at http://collect.myspace.com/index.cfm?fuseaction=misc.contactInput contains a clickable cross-site scripting (XSS) vulnerability. The resulting page from submitting a message builds its content from parameters collected from the URI. The two parameters of note are highlighted here (url broken for readability):

http://collect.myspace.com/index.cfm?page=none&emailAddress=[[ERROR
0000011c EMAIL ADDRESS NOT ENTERED]]&fuseaction=misc.contactConfirm
&numberPagesBack=0);alert('cookie theft '%2bdocument.location);// (tiny)

Screenshot: http://pics.livejournal.com/momby/pic/0000pzyx

Similiar to MOMBY-1100, this link must be clicked by a victim in order to be effective for an attacker. Unlike MOMBY-1100, however, victims need not be authenticated, which lowers the relative value of the attack; victims are not guaranteed to possess useful session information. On the gripping hand, the attacker does have some freedom to alter the emailAddress parameter in order to further pursuade a victim to click on the presented "return to fix errors" link. For example, the attacker could present a false form for e-mailing Myspace customer service about something compelling, then intentionally alter the user's provided e-mail address with an engineered onSubmit() "hiccup" action immediately before loading the XSS-injected page. Victims, in turn, are more likely to believe the presented "results" does require them to reenter information.

Credit: This bug was first reported by Synthetic.