[Full-disclosure] about that new MySpace XSS worm
- From: Xavier <compromise@xxxxxxxxx>
- Date: Sun, 18 Dec 2005 01:19:13 -0500
Greetings,
A little while ago I bumped into this new XSS worm on MySpace, I wrote
about it on my blog (direct link:
http://xavsec.blogspot.com/2005/12/new-myspace-xss-worm-circulating.html)
But here is what I know thus far:
1) There is a XSS vulnerability in MySpace.com, in the form of an
unsanitized vulnerability in the variable name "TheName".
2) The XSS worm is propagating via malicious .swf Flash files, using
ActionScript and Cross-Domain data loading.
3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
specifically: allow-access-from domain="*"/) the worm hit many users
across MySpace.
-- Xavier.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Re: [Full-disclosure] about that new MySpace XSS worm
- From: Valdis Shkesters
- Re: [Full-disclosure] about that new MySpace XSS worm
- Prev by Date: [Full-disclosure] [ GLSA 200512-10 ] Opera: Command-line URL shell command injection
- Next by Date: Re: [Full-disclosure] A CALL FOR FULL-DISCLOSURE TO BECOME AMODERATED LIST
- Previous by thread: [Full-disclosure] [ GLSA 200512-10 ] Opera: Command-line URL shell command injection
- Next by thread: Re: [Full-disclosure] about that new MySpace XSS worm
- Index(es):
