M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS

Advisory MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS
Press Embargo until April 9, 2007


Noobs: **
 LOLs: *******
 0wnz: *****

A cross-site scripting vulnerability exists in the "index.cfm?fuseaction" web application on Myspace.com. Fuseaction is the main navigation application, common to nearly all aspects of the *.myspace.com domain. This XSS vector is good for all tested areas of Myspace. The problem occurs due to a lack of quote-termination sanitation on the URL, which is subsequently represented to the user.

This vulnerability ranks two "Noobs" due to the complexity of the underlying reponse -- the XSS insertion point is not immediately obvious in the HTTP responses generated when inspecting the transactions using simple web code auditing techniques using FireBug and TamperData. Note, these are both excellent tools for discovering low-hanging XSS fruit -- just not this one.

Sample link: http://www.myspace.com/index.cfm?fuseaction=splash&schoolID=test'/onload='alert(document.location)

(Works for both IE and Firefox)

Screenshot: http://pics.livejournal.com/momby/pic/0000abhy

Credit: Wladimir first reported this vulnerability. He is also smarter than MOMBY, and provided several other vectors and implementations of this bug, but not much in the way of discovery methodology or background. Hopefully he (or someone else more familiar with the vulnerability) will explain the details a little better in the comments section of this advisory.

Tags: event handler, fuseaction, xss
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.