Noobz: **** LOLz: ** 0wnz: **
The action handler for the "Email Customer Service" form at http://collect.myspace.com/index.cfm?fuseaction=misc.contactInput contains a clickable cross-site scripting (XSS) vulnerability. The resulting page from submitting a message builds its content from parameters collected from the URI. The two parameters of note are highlighted here (url broken for readability):
0000011c EMAIL ADDRESS NOT ENTERED]]&fuseaction=misc.contactConfirm
&numberPagesBack=0);alert('cookie theft '%2bdocument.location);// (tiny)
Similiar to MOMBY-1100, this link must be clicked by a victim in order to be effective for an attacker. Unlike MOMBY-1100, however, victims need not be authenticated, which lowers the relative value of the attack; victims are not guaranteed to possess useful session information. On the gripping hand, the attacker does have some freedom to alter the emailAddress parameter in order to further pursuade a victim to click on the presented "return to fix errors" link. For example, the attacker could present a false form for e-mailing Myspace customer service about something compelling, then intentionally alter the user's provided e-mail address with an engineered onSubmit() "hiccup" action immediately before loading the XSS-injected page. Victims, in turn, are more likely to believe the presented "results" does require them to reenter information.
Credit: This bug was first reported by Synthetic.