| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Dec 19 20:05:28 2005 From: mail at hackingspirits.com (Debasis Mohanty) Subject: about that new MySpace XSS worm >> In other words, the "worm" creates a link to the malicious flash file in your MySpace profile. >> Whenever someone views your profile with a vulnerable version of Flash they become infected and the "worm" grows. Exactly !! This is what seems to be the reason behind the worm propagation. Thats why I mentioned the use of 'XSS' in the blog is highly misleading... - T _____ From: Kevin Pawloski [mailto:kpawloski@...il.com] Sent: Tuesday, December 20, 2005 1:31 AM To: Debasis Mohanty Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] about that new MySpace XSS worm A worm propagating through MySpace using a malicious flash file has been going on for awhile now. There was one back in the end of October where viewing a malicious Flash file changed your default picture to our main man Ali G. A few days later, Symantec issued a security bulletin for vulnerabilities in Flash versions 6.X and 7.X. (See BugtraqID 15332) In other words, the "worm" creates a link to the malicious flash file in your MySpace profile. Whenever someone views your profile with a vulnerable version of Flash they become infected and the "worm" grows. Kevin On 12/19/05, Debasis Mohanty <mail@...kingspirits.com> wrote: Hi, I read your blog. Find my comments inline - ----- Original Message ----- From: "Xavier" <compromise@...il.com> To: < <mailto:full-disclosure@...ts.grok.org.uk> full-disclosure@...ts.grok.org.uk> Sent: Sunday, December 18, 2005 8:19 AM Subject: [Full-disclosure] about that new MySpace XSS worm >> 1) There is a XSS vulnerability in MySpace.com, in the form of an >> unsanitized vulnerability in the variable name "TheName". <No Comments Here> >> 2) The XSS worm is propagating via malicious .swf Flash files, >> using ActionScript and Cross-Domain data loading. I failed to understand, how it manage to _self-propagate_ via .swf file?? Can you elaborate here??? If your answer is XSS, then it implies it is not self propagating worm and involves some sort of social engineering to entice the victim to click on the malicious link. If the answer is not XSS, then I guess the use of XSS in the blog is highly misleading. >> 3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml <http://www.myspace.com/crossdomain.xml> (note >> specifically: allow-access-from domain="*"/) the worm hit many users >> across MySpace. Although, I can see the url with possible XSS in your blog but it is unclear to me where and how it has been used.. The major player which I can see here is "xmlhttp". The first version of samy worm actually demonstrate the real power of xmlhttp in the malicious form. The interesting part of the worm was, the way xmlhttp was used to send request to cross-domain and the use of 'eval' to bypass all those script / tags parsing mechanism. - T (aka D) Ps: A mix of xmlhttp + AJAX + RSS => Creats really cool web based self-propagating worms which makes millions of sites using rss vulnerable.... More to come ... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html <http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051220/1d4c684e/attachment.html
Powered by blists - more mailing lists