Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch

From: Hyperdose Security (robfly_at_hyperdose.com)
Date: 04/14/05

  • Next message: Steve Grubb: "Re: gzip TOCTOU file-permissions vulnerability" 
    To: <bugtraq@securityfocus.com>
Date: Thu, 14 Apr 2005 07:37:37 -0700

    Hyperdose Security Advisory

    Name: Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch
    Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
    v9.00.5059 and earlier are also affected)
    Severity: Moderate
    Author: Robert Fly - robfly@hyperdose.com
    Advisory URL: http://www.hyperdose.com/advisories/H2005-04.txt

    --MusicMatch Description--
    From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
    and organize your music, giving you ultimate control of your music
    experience." In September 04 Musicmatch was purchased by Yahoo! Inc.

    --Bug Details--
    Upon installation of MusicMatch versions prior to 10.00.2047, the domain
    *.musicmatch.com is added to the Trusted Sites zone of IE. This zone runs
    at a very high level of privilege and since XP SP2, this zone offers the
    lowest security in a default install. As such, adding a domain to this zone
    needs extra security consideration.

    The most common way of taking advantage of an application setting this is
    through Cross Site Scripting issues. A quick check showed that there were
    exploitable XSS bugs in the musicmatch domain.

    Musicmatch in its latest release has now removed *.musicmatch.com from the
    Trusted Sites zone (Yahoo!) which is a smart move. They have also fixed the
    XSS vulnerabilities which I had previously reported to them as well.

    --Fix Information--
    As of 3/21/05 Yahoo has released a new version which fixes this
    vulnerability. I have witheld vulnerability details until now so that
    MusicMatch automatic updates had a chance to propogate.
    Downloads available here:
    http://www.musicmatch.com/download/free/security.htm
    Security FAQ available here:
    http://www.musicmatch.com/info/user_guide/faq/security_updates.htm

    --About Hyperdose--
    Hyperdose Security was founded to provide companies with application
    security knowledge through all parts of an application's security
    development lifecycle. We specialize in all phases of software development
    ranging from security design and architectural reviews, security code
    reviews and penetration testing.

    web www.hyperdose.com
    email robfly@hyperdose.com

  • Next message: Steve Grubb: "Re: gzip TOCTOU file-permissions vulnerability"

    Relevant Pages

    • Trojan file issue in Musicmatch software
      ... Hyperdose Security Advisory ... Arbitrary file overwrite in Musicmatch ... In September 04 Musicmatch was purchased by Yahoo! ... MMFWLaunch.exe versions earlier then 10.00.2047 contain this vulnerability. ...
      (Bugtraq)
    • Improper log file storage in Musicmatch software
      ... Hyperdose Security Advisory ... Improper Log file storage in Musicmatch software ... Musicmatch v10.00.2047 or earlier (according to Yahoo ... In September 04 Musicmatch was purchased by Yahoo! ...
      (Bugtraq)
    • Re: IE Disinformation bar woes
      ... Evidently the security settings used ... emails at yahoo is sure to realize this. ... of the browser and logs into yahoo on one, ...
      (microsoft.public.windowsxp.security_admin)
    • RE: Comparison of Yahoo v. MSN Messenger from security standpoint
      ... Onderwerp: RE: Comparison of Yahoo v. MSN Messenger from security standpoint ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Security and the Under 30 User
      ... Here is the original email that I received when I signed up to a Yahoo ... Security and the Under 30 User ... policy has to be forced. ... restructions) and you can do your social networking on your lunch or ...
      (Security-Basics)