[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] about that new MySpace XSS worm

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] about that new MySpace XSS worm
From: Xavier <compromise@xxxxxxxxx>
Date: Sun, 18 Dec 2005 01:19:13 -0500

Greetings,

A little while ago I bumped into this new XSS worm on MySpace, I wrote
about it on my blog (direct link:
http://xavsec.blogspot.com/2005/12/new-myspace-xss-worm-circulating.html)

But here is what I know thus far:

1) There is a XSS vulnerability in MySpace.com, in the form of an
unsanitized vulnerability in the variable name "TheName".
2) The XSS worm is propagating via malicious .swf Flash files, using
ActionScript and Cross-Domain data loading.
3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
specifically: allow-access-from domain="*"/) the worm hit many users
across MySpace.

-- Xavier.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] about that new MySpace XSS worm
  - From: Valdis Shkesters

Prev by Date: [Full-disclosure] [ GLSA 200512-10 ] Opera: Command-line URL shell command injection
Next by Date: Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST
Previous by thread: [Full-disclosure] [ GLSA 200512-10 ] Opera: Command-line URL shell command injection
Next by thread: Re: [Full-disclosure] about that new MySpace XSS worm
Index(es):
- Date
- Thread