M.O.M.B.Y! (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} momby) wrote,@ 2007-04-25 11:56:00 |
|
| Current mood: |  frustrated |
| Entry tags: | no-xss |
MOMBY-00010010: Video Upload "title" Image Alt Text Error
Advisory MOMBY-00010010: Video Upload "title" Image Alt Text Error
Noobz: ****** LOLz: *** 0wnz: ?
Myspace allows users to upload video content to be aggregated and ultimately viewed by other Myspace users. Due to a problem in input validation on the "title" variable for the "metaForm" portion of the video upload application, it is possible for an attacker to cause input to be displayed outside the resulting alt parameter of the video's icon image.
Though this is certainly a bug, it appears that this is not exploitable by the feeble minds of the MOMBY! Cartel, due to the correct application of Myspace XSS filtering of common XSS elements, such as <script> tags, event handlers, style expression()s and the like. Also, most HTML elements are also correctly filtered. Perhaps the most interesting feature of this bug is that Myspace is clearly and correctly defending against the malicious leveraging of this bug, but still fails to correctly escape the "> sequence if provided by the user.
Screenshot: http://pics.livejournal.com/momby/pic/0
Credit: rMrGvG of SNI-LABS first reported this bug. He reported it early on in MOMBY, so it's quite possible this was an exploitable condition then. Regardless, basic failure to escape user input is still a bug today.
