[Full-disclosure] about that new MySpace XSS worm



Greetings,

A little while ago I bumped into this new XSS worm on MySpace, I wrote
about it on my blog (direct link:
http://xavsec.blogspot.com/2005/12/new-myspace-xss-worm-circulating.html)

But here is what I know thus far:

1) There is a XSS vulnerability in MySpace.com, in the form of an
unsanitized vulnerability in the variable name "TheName".
2) The XSS worm is propagating via malicious .swf Flash files, using
ActionScript and Cross-Domain data loading.
3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
specifically: allow-access-from domain="*"/) the worm hit many users
across MySpace.

-- Xavier.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/