Advisory MOMBY-00000110: Myspace Jobs Search XSS
Press Embargo until April 6, 2007
Noobs: ** LOLs: *** 0wnz: ***
The "careers.search" application at http://jobs.myspace.com is vulnerable to cross-site scripting (XSS) attacks. While this insertion point is valid for all browsers worth mentioning, it should be noted that the insertion point is for the event handler of an <INPUT> tag, and does not appear to allow for direct insertion of <SCRIPT> tags. While this does limit the style of attack -- attackers need to be careful with spaces and quotes -- the substance of the attack should be unaffected given some creative syntax.
As with all MOMBY Advisories, actually leveraging XSS to do something useful is left as an exercise to the reader. Google "XSS" and learn all about it. It's great fun and nobody takes XSS seriously.
Example link: http://jobs.myspace.com/index.cfm?fuseaction=careers.search&sb=&locale=US&startIndex=0&keywords=&location=%22+onMouseOver%3Dalert%28document.location%29%3E&x=0&y=0
Credit: The reporter of this vulnerability prefers to remain any mouse.
Apologies: I'm sorry for being a weepy drunk yesterday. I'm over it. Mustachio didn't die, by the way. Although, upon reflection, we probably should have called an ambulance rather than post an auth bypass bug.