lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun Dec 18 22:42:19 2005 From: valdis at antivirus.lv (Valdis Shkesters) Subject: about that new MySpace XSS worm Hi, The case with MySpace is not the first one when for a special environment, such as social networking there is created self-propagating code. In August this year in Latvian Internet there appeared a conceptual code which was able to send himself to users of the site Draugiem.lv (analoque of MySpace.com). Draugiem.lv has its own internal messaging system. By the way of exploiting XSS vulnerability conceptual code (JavaScript) was able to send himself to other friends when user only looked at the infected message. The code is added to Kaspersky Anti-Virus database as Worm.JS.Graud.a. Best regards, Valdis ----- Original Message ----- From: "Xavier" <compromise@...il.com> To: <full-disclosure@...ts.grok.org.uk> Sent: Sunday, December 18, 2005 8:19 AM Subject: [Full-disclosure] about that new MySpace XSS worm Greetings, A little while ago I bumped into this new XSS worm on MySpace, I wrote about it on my blog (direct link: http://xavsec.blogspot.com/2005/12/new-myspace-xss-worm-circulating.html) But here is what I know thus far: 1) There is a XSS vulnerability in MySpace.com, in the form of an unsanitized vulnerability in the variable name "TheName". 2) The XSS worm is propagating via malicious .swf Flash files, using ActionScript and Cross-Domain data loading. 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note specifically: allow-access-from domain="*"/) the worm hit many users across MySpace. -- Xavier. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists