M.O.M.B.Y! ([info]momby) wrote,
@ 2007-04-24 19:44:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Current mood: hopeful
Entry tags:clickable, xss

MOMBY-00010001: Clickable "numberPagesBack" XSS
Advisory MOMBY-00010001: Clickable "numberPagesBack" XSS

Noobz: ****
LOLz: **
0wnz: **

The action handler for the "Email Customer Service" form at http://collect.myspace.com/index.cfm?fuseaction=misc.contactInput contains a clickable cross-site scripting (XSS) vulnerability. The resulting page from submitting a message builds its content from parameters collected from the URI. The two parameters of note are highlighted here (url broken for readability):

http://collect.myspace.com/index.cfm?page=none&emailAddress=[[ERROR
0000011c EMAIL ADDRESS NOT ENTERED]]&fuseaction=misc.contactConfirm
&numberPagesBack=0);alert('cookie theft '%2bdocument.location);// (tiny)

Screenshot: http://pics.livejournal.com/momby/pic/0000pzyx

Similiar to MOMBY-1100, this link must be clicked by a victim in order to be effective for an attacker. Unlike MOMBY-1100, however, victims need not be authenticated, which lowers the relative value of the attack; victims are not guaranteed to possess useful session information. On the gripping hand, the attacker does have some freedom to alter the emailAddress parameter in order to further pursuade a victim to click on the presented "return to fix errors" link. For example, the attacker could present a false form for e-mailing Myspace customer service about something compelling, then intentionally alter the user's provided e-mail address with an engineered onSubmit() "hiccup" action immediately before loading the XSS-injected page. Victims, in turn, are more likely to believe the presented "results" does require them to reenter information.

Credit: This bug was first reported by Synthetic.


(Post a new comment)

URL Obfuscation
[info]momby
2007-04-25 12:56 am UTC (link)
By the by, Myspace is knocking out TinyURL.com links, but elfURL.com will work just as well (and are much cooler), as will HugeURL.com (much, much cooler). ElfURLs, though, you need to be careful, since they don't do enough sanitization of input, so you often will end up accidentally XSS'ing yourself if you don't use constructs like < and > for brackets.

Finally, I expect that any ol' blind redirect (as demoed in the last advisory) will work in a pinch.

(Reply to this) (Thread)
Re: URL Obfuscation
(Anonymous)
2007-04-25 03:02 pm UTC (link)
Yes, man, ElfURL and HugeURL are nice ;-).

Like any other redirection service.

So if MySpace fixed one redirector (put it to their filters) we can use any other. It is Redirectors Wars :-).

Best wishes & regards,
MustLive

(Reply to this) (Parent)(Thread)
Re: URL Obfuscation
[info]teh_commodore
2007-04-27 12:49 am UTC (link)
Speaking of, you dudes know of this new msplinks system they have, right?

(Reply to this) (Parent)

(Anonymous)
2007-04-25 11:19 am UTC (link)
fixed already? all i get is go(-0);

(Reply to this)

MOMBY-00010001
(Anonymous)
2007-04-25 01:19 pm UTC (link)
They already fixed this hole. And it is common for MySpace.

Best wishes & regards,
MustLive

(Reply to this)

For men ONLY!!!
(Anonymous)
2007-07-03 10:07 am UTC (link)
Very good site.
www.sialis.ybay1.co.il Want improve Life ?!
www.sialis.ybay1.co.il Want do it BIG ? !


Viagra < www.viagra10.com/ > www.viagra10.com viagra
Cialis < www.sialis.ybay1.co.il/ > www.sialis.ybay1.co.il/ Cialis
Levitra < www.viagra10.com/ > www.viagra10.com Levitra
VIAGRA < www.sialis.ybay1.co.il/ > www.sialis.ybay1.co.il/ Cialis
CIALISl < www.viagra10.com > www.viagra10.coml Levitra
LEVITRA < www.sialis.ybay1.co.il/ > www.sialis.ybay1.co.il/ Levitra

www.sialis.ybay1.co.il/
www.viagra10.com/
www.sialis.ybay1.co.il/
www.viagra10.com/
www.planetnana.co.il/viagra/
www.viagra10.com/
www.planetnana.co.il/viagra/
www.viagra10.com/
Thank you :-)

(Reply to this)

VGTlrdAoJHoslKV
(Anonymous)
2008-05-18 01:27 pm UTC (link)
HY9CEd

(Reply to this)

fOaMkIaFUgHrxpc
(Anonymous)
2008-07-27 04:29 pm UTC (link)
JrltZT hi! hice site!

(Reply to this)

AgDbdCrBFSnswyBrfl
(Anonymous)
2008-07-27 09:51 pm UTC (link)
FywgSv hi! hice site!

(Reply to this)

okjlMPKLDqkjsh
(Anonymous)
2008-07-29 03:03 pm UTC (link)
XttrDl hi! hice site!

(Reply to this)

tilWErPcabvqOqV
(Anonymous)
2008-07-29 10:10 pm UTC (link)
ZowxzU hi! hice site!

(Reply to this)

GTgPCiaKcxsC
(Anonymous)
2008-09-06 09:42 pm UTC (link)
nice site dude

(Reply to this)

sZULTkqJRSKyRbBeJYH
(Anonymous)
2008-09-07 12:23 am UTC (link)
yCmgUU spam_15.txt;5;10

(Reply to this)

jQYMCQmIDG
(Anonymous)
2008-09-07 01:21 am UTC (link)
fqRcmC spam_31.txt;5;10

(Reply to this)

MSciTRCjDhNzesJUz
(Anonymous)
2008-10-03 02:04 pm UTC (link)
adult video download full video teens lesbians
http://allis.lefora.com/2008/10/03/adult-video/page1/

(Reply to this)


[info]guidahany
2009-06-04 10:10 pm UTC (link)
Could not find where you can buy generic ED drugs. I found one online store. The most important thing that all anonymously, because I do not want to see about that someone knew. I rarely take pills, good health still permits, but sometimes they are irreplaceable) But there are ways to increase sexual potency?

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…