[Full-disclosure] XSS in freecodesource.com; (minor) code execution in myspace.com

["none none" <threecheeseopera@xxxxxxxxx>]

Freecodesource.com is a distributor of myspace profile mods and general crapola.
They provide an swf file which allows a myspace user to pop an alert
box on profile page load, with custom text; the text is extracted from
the url of the swf file, then used as a get parameter ('what') to the
url http://www.freecodesource.com/pages/myspacegenerators/welcome.php
which returns a script element containing the customized alert.
The popup code bypasses Myspace's filters by being loaded into a
common named iframe ('up_launchIC') on myspace pages, using the
'target' parameter of the actionscript method getURL().
This can't do anything interesting, since the code used to create the
alert is outside of the myspace.com domain and is therefore subject to
cross-domain restrictions; at most you can navigate to one page using
the browser's security credentials (location.reload).

The XSS is in welcome.php; by closing the script tag in the 'what'
parameter and injecting your own, you can conceivably act on the
freecodesource.com domain using the browsing user's credentials (I
have XHR in mind):
http://www.freecodesource.com/pages/myspacegenerators/welcome.php?what=%22);%3C/script%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

I would like to thank the monkeys at freecodesource.com for stealing
this technique from me (which is why I looked for the xss in the first
place), and for polluting myspace with all of their crap.  Good luck,
monkeys.

"I hate to advocate drugs, alcohol, violence or insanity to anyone,
but they've always worked for me."  HST

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/