| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Dec 19 20:00:40 2005 From: kpawloski at gmail.com (Kevin Pawloski) Subject: about that new MySpace XSS worm A worm propagating through MySpace using a malicious flash file has been going on for awhile now. There was one back in the end of October where viewing a malicious Flash file changed your default picture to our main man Ali G. A few days later, Symantec issued a security bulletin for vulnerabilities in Flash versions 6.X and 7.X. (See BugtraqID 15332) In other words, the "worm" creates a link to the malicious flash file in your MySpace profile. Whenever someone views your profile with a vulnerable version of Flash they become infected and the "worm" grows. Kevin On 12/19/05, Debasis Mohanty <mail@...kingspirits.com> wrote: > > Hi, > I read your blog. Find my comments inline - > > ----- Original Message ----- > From: "Xavier" <compromise@...il.com> > To: <full-disclosure@...ts.grok.org.uk> > Sent: Sunday, December 18, 2005 8:19 AM > Subject: [Full-disclosure] about that new MySpace XSS worm > > >> 1) There is a XSS vulnerability in MySpace.com, in the form of an > >> unsanitized vulnerability in the variable name "TheName". > > <No Comments Here> > > >> 2) The XSS worm is propagating via malicious .swf Flash files, > >> using ActionScript and Cross-Domain data loading. > > I failed to understand, how it manage to _self-propagate_ via .swf file?? > Can you elaborate here??? > > If your answer is XSS, then it implies it is not self propagating worm and > involves some sort of social engineering to entice the victim to click on > the malicious link. If the answer is not XSS, then I guess the use of XSS > in > the blog is highly misleading. > > > >> 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note > >> specifically: allow-access-from domain="*"/) the worm hit many users > >> across MySpace. > > Although, I can see the url with possible XSS in your blog but it is > unclear > to me where and how it has been used.. The major player which I can see > here > is "xmlhttp". The first version of samy worm actually demonstrate the real > power of xmlhttp in the malicious form. The interesting part of the worm > was, the way xmlhttp was used to send request to cross-domain and the use > of > 'eval' to bypass all those script / tags parsing mechanism. > > - T (aka D) > > Ps: A mix of xmlhttp + AJAX + RSS => Creats really cool web based > self-propagating worms which makes millions of sites using rss > vulnerable.... More to come ... > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051219/67f2f87f/attachment-0001.html
Powered by blists - more mailing lists