funsec mailing list archives
Zero Day Flaw Found in MySpace
From: "Fergie" <fergdawg () netzero net>
Date: Wed, 25 Oct 2006 05:38:46 GMT
Personally verified. [snip] A researcher has published proof-of-concept code on a zero-day vulnerability he found on MySpace.com -- and another variation on the cross-site scripting (XSS) theme. Called XSS fragmentation, the vulnerability consists of multiple chunks, or fragments, of JavaScript malware that can slip by a filter or firewall because individually they don't constitute a security risk. But when they are combined after hitting the site, they can then be dangerous. XSS fragmentation is rare, but a potentially powerful vulnerability that could be used against community-based sites such as MySpace or Web-based mail systems, security experts say. MySpace in particular is vulnerable because it takes user-supplied content and stores it without adequate filtering, says Jeremiah Grossman, CTO of White Hat Security. An e-commerce site would not be at risk to this type of attack, he says. XSS in general has become one of the most prevalent targets of online hackers, with many major Websites sporting XSS vulnerabilities. With XSS fragmentation, an attacker could inject the script fragments onto the MySpace user's interests section, such as music and film, according to the proof-of-concept posting by kuza55, the hacker who discovered the vulnerability. [snip] Pretty clever. More here: http://www.darkreading.com/document.asp?doc_id=108161 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Zero Day Flaw Found in MySpace Fergie (Oct 24)