lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun Dec 18 15:21:30 2005
From: compromise at gmail.com (Xavier)
Subject: about that new MySpace XSS worm

Greetings,

A little while ago I bumped into this new XSS worm on MySpace, I wrote
about it on my blog (direct link:
http://xavsec.blogspot.com/2005/12/new-myspace-xss-worm-circulating.html)

But here is what I know thus far:

1) There is a XSS vulnerability in MySpace.com, in the form of an
unsanitized vulnerability in the variable name "TheName".
2) The XSS worm is propagating via malicious .swf Flash files, using
ActionScript and Cross-Domain data loading.
3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
specifically: allow-access-from domain="*"/) the worm hit many users
across MySpace.

-- Xavier.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ