[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <601053640512191200ta24e23fnbc6d9949bfeda5c6@mail.gmail.com>
Date: Mon Dec 19 20:00:40 2005
From: kpawloski at gmail.com (Kevin Pawloski)
Subject: about that new MySpace XSS worm
A worm propagating through MySpace using a malicious flash file has been
going on for awhile now. There was one back in the end of October where
viewing a malicious Flash file changed your default picture to our main man
Ali G. A few days later, Symantec issued a security bulletin for
vulnerabilities in Flash versions 6.X and 7.X. (See BugtraqID 15332)
In other words, the "worm" creates a link to the malicious flash file in
your MySpace profile. Whenever someone views your profile with a vulnerable
version of Flash they become infected and the "worm" grows.
Kevin
On 12/19/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
>
> Hi,
> I read your blog. Find my comments inline -
>
> ----- Original Message -----
> From: "Xavier" <compromise@...il.com>
> To: <full-disclosure@...ts.grok.org.uk>
> Sent: Sunday, December 18, 2005 8:19 AM
> Subject: [Full-disclosure] about that new MySpace XSS worm
>
> >> 1) There is a XSS vulnerability in MySpace.com, in the form of an
> >> unsanitized vulnerability in the variable name "TheName".
>
> <No Comments Here>
>
> >> 2) The XSS worm is propagating via malicious .swf Flash files,
> >> using ActionScript and Cross-Domain data loading.
>
> I failed to understand, how it manage to _self-propagate_ via .swf file??
> Can you elaborate here???
>
> If your answer is XSS, then it implies it is not self propagating worm and
> involves some sort of social engineering to entice the victim to click on
> the malicious link. If the answer is not XSS, then I guess the use of XSS
> in
> the blog is highly misleading.
>
>
> >> 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
> >> specifically: allow-access-from domain="*"/) the worm hit many users
> >> across MySpace.
>
> Although, I can see the url with possible XSS in your blog but it is
> unclear
> to me where and how it has been used.. The major player which I can see
> here
> is "xmlhttp". The first version of samy worm actually demonstrate the real
> power of xmlhttp in the malicious form. The interesting part of the worm
> was, the way xmlhttp was used to send request to cross-domain and the use
> of
> 'eval' to bypass all those script / tags parsing mechanism.
>
> - T (aka D)
>
> Ps: A mix of xmlhttp + AJAX + RSS => Creats really cool web based
> self-propagating worms which makes millions of sites using rss
> vulnerable.... More to come ...
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051219/67f2f87f/attachment-0001.html
Powered by blists - more mailing lists