lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <727da16f0606101149y61fb7afbp1d0a6fef40c2c8d7@mail.gmail.com>
Date: Sat Jun 10 19:49:18 2006
From: threecheeseopera at gmail.com (none none)
Subject: XSS in freecodesource.com;
	(minor) code execution in myspace.com

Freecodesource.com is a distributor of myspace profile mods and general crapola.
They provide an swf file which allows a myspace user to pop an alert
box on profile page load, with custom text; the text is extracted from
the url of the swf file, then used as a get parameter ('what') to the
url http://www.freecodesource.com/pages/myspacegenerators/welcome.php
which returns a script element containing the customized alert.
The popup code bypasses Myspace's filters by being loaded into a
common named iframe ('up_launchIC') on myspace pages, using the
'target' parameter of the actionscript method getURL().
This can't do anything interesting, since the code used to create the
alert is outside of the myspace.com domain and is therefore subject to
cross-domain restrictions; at most you can navigate to one page using
the browser's security credentials (location.reload).

The XSS is in welcome.php; by closing the script tag in the 'what'
parameter and injecting your own, you can conceivably act on the
freecodesource.com domain using the browsing user's credentials (I
have XHR in mind):
http://www.freecodesource.com/pages/myspacegenerators/welcome.php?what=%22);%3C/script%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

I would like to thank the monkeys at freecodesource.com for stealing
this technique from me (which is why I looked for the xss in the first
place), and for polluting myspace with all of their crap.  Good luck,
monkeys.

"I hate to advocate drugs, alcohol, violence or insanity to anyone,
but they've always worked for me."  HST

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ