Zero Day Flaw Found in MySpace

["Fergie" <fergdawg () netzero net>]

Personally verified.

[snip]

A researcher has published proof-of-concept code on a zero-day
vulnerability he found on MySpace.com -- and another variation on the
cross-site scripting (XSS) theme.

Called XSS fragmentation, the vulnerability consists of multiple
chunks, or fragments, of JavaScript malware that can slip by a filter
or firewall because individually they don't constitute a security risk.
But when they are combined after hitting the site, they can then be
dangerous.

XSS fragmentation is rare, but a potentially powerful vulnerability
that could be used against community-based sites such as MySpace or
Web-based mail systems, security experts say. MySpace in particular is
vulnerable because it takes user-supplied content and stores it without
adequate filtering, says Jeremiah Grossman, CTO of White Hat Security.
An e-commerce site would not be at risk to this type of attack, he says.

XSS in general has become one of the most prevalent targets of online
hackers, with many major Websites sporting XSS vulnerabilities. 

With XSS fragmentation, an attacker could inject the script fragments
onto the MySpace user's interests section, such as music and film,
according to the proof-of-concept posting by kuza55, the hacker who
discovered the vulnerability. 

[snip]

Pretty clever.

More here:
http://www.darkreading.com/document.asp?doc_id=108161

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.