lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Dec 19 19:50:16 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: about that new MySpace XSS worm

Hi, 
I read your blog. Find my comments inline - 

----- Original Message -----
From: "Xavier" <compromise@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Sunday, December 18, 2005 8:19 AM
Subject: [Full-disclosure] about that new MySpace XSS worm

>> 1) There is a XSS vulnerability in MySpace.com, in the form of an
>> unsanitized vulnerability in the variable name "TheName".

<No Comments Here>

>> 2) The XSS worm is propagating via malicious .swf Flash files, 
>> using ActionScript and Cross-Domain data loading.

I failed to understand, how it manage to _self-propagate_ via .swf file??
Can you elaborate here??? 

If your answer is XSS, then it implies it is not self propagating worm and
involves some sort of social engineering to entice the victim to click on
the malicious link. If the answer is not XSS, then I guess the use of XSS in
the blog is highly misleading. 


>> 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
>> specifically: allow-access-from domain="*"/) the worm hit many users
>> across MySpace.

Although, I can see the url with possible XSS in your blog but it is unclear
to me where and how it has been used.. The major player which I can see here
is "xmlhttp". The first version of samy worm actually demonstrate the real
power of xmlhttp in the malicious form. The interesting part of the worm
was, the way xmlhttp was used to send request to cross-domain and the use of
'eval' to bypass all those script / tags parsing mechanism. 

- T (aka D)

Ps: A mix of xmlhttp + AJAX + RSS => Creats really cool web based
self-propagating worms which makes millions of sites using rss
vulnerable.... More to come ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ