Re: about that new MySpace XSS worm

["Valdis Shkesters" <valdis () antivirus lv>]

Hi,

The case with MySpace is not the first one when for a special environment,

such as social networking there is created self-propagating code.



In August this year in Latvian Internet there appeared a conceptual code

which was able to send himself to users of the site Draugiem.lv (analoque of

MySpace.com). Draugiem.lv has its own internal messaging system. By the way

of exploiting XSS vulnerability conceptual code (JavaScript) was able to

send himself to other friends when user only looked at the infected message.



The code is added to Kaspersky Anti-Virus database as Worm.JS.Graud.a.



Best regards,



Valdis



----- Original Message ----- 
From: "Xavier" <compromise () gmail com>
To: <full-disclosure () lists grok org uk>
Sent: Sunday, December 18, 2005 8:19 AM
Subject: [Full-disclosure] about that new MySpace XSS worm


Greetings,

A little while ago I bumped into this new XSS worm on MySpace, I wrote
about it on my blog (direct link:
http://xavsec.blogspot.com/2005/12/new-myspace-xss-worm-circulating.html)

But here is what I know thus far:

1) There is a XSS vulnerability in MySpace.com, in the form of an
unsanitized vulnerability in the variable name "TheName".
2) The XSS worm is propagating via malicious .swf Flash files, using
ActionScript and Cross-Domain data loading.
3) Thanks to the XSS, and http://www.myspace.com/crossdomain.xml (note
specifically: allow-access-from domain="*"/) the worm hit many users
across MySpace.

-- Xavier.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/