M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00010010: Video Upload "title" Image Alt Text Error

Advisory MOMBY-00010010: Video Upload "title" Image Alt Text Error
Noobz: ******
LOLz: ***
0wnz: ?

Myspace allows users to upload video content to be aggregated and ultimately viewed by other Myspace users. Due to a problem in input validation on the "title" variable for the "metaForm" portion of the video upload application, it is possible for an attacker to cause input to be displayed outside the resulting alt parameter of the video's icon image.

Though this is certainly a bug, it appears that this is not exploitable by the feeble minds of the MOMBY! Cartel, due to the correct application of Myspace XSS filtering of common XSS elements, such as <script> tags, event handlers, style expression()s and the like. Also, most HTML elements are also correctly filtered. Perhaps the most interesting feature of this bug is that Myspace is clearly and correctly defending against the malicious leveraging of this bug, but still fails to correctly escape the "> sequence if provided by the user.

Screenshot: http://pics.livejournal.com/momby/pic/0000rqg1

Credit: rMrGvG of SNI-LABS first reported this bug. He reported it early on in MOMBY, so it's quite possible this was an exploitable condition then. Regardless, basic failure to escape user input is still a bug today.
Tags: no-xss
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.