lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1113489856.32498@mx249a.mysite4now.com>
Date: Thu, 14 Apr 2005 07:37:37 -0700
From: "Hyperdose Security" <robfly@...erdose.com>
To: <bugtraq@...urityfocus.com>
Subject: Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch


Hyperdose Security Advisory

Name: Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Severity: Moderate
Author: Robert Fly - robfly@...erdose.com 
Advisory URL: http://www.hyperdose.com/advisories/H2005-04.txt

--MusicMatch Description--
From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience."  In September 04 Musicmatch was purchased by Yahoo! Inc.

--Bug Details--
Upon installation of MusicMatch versions prior to 10.00.2047, the domain
*.musicmatch.com is added to the Trusted Sites zone of IE.  This zone runs
at a very high level of privilege and since XP SP2, this zone offers the
lowest security in a default install.  As such, adding a domain to this zone
needs extra security consideration.

The most common way of taking advantage of an application setting this is
through Cross Site Scripting issues.  A quick check showed that there were
exploitable XSS bugs in the musicmatch domain.

Musicmatch in its latest release has now removed *.musicmatch.com from the
Trusted Sites zone (Yahoo!) which is a smart move.  They have also fixed the
XSS vulnerabilities which I had previously reported to them as well.

--Fix Information--
As of 3/21/05 Yahoo has released a new version which fixes this
vulnerability.  I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
http://www.musicmatch.com/download/free/security.htm
Security FAQ available here:
http://www.musicmatch.com/info/user_guide/faq/security_updates.htm

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@...erdose.com





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ