This was a while ago, but once again unsurprising..The amount of security holes that have been discovered in MySpace (to say they hold some pretty confidential info and are a preying ground for paedos..it’s a scary thought).
Once again an XSS flaw shows up in MySpace.
digi7al64 found yet another hole in myspace using non-alpha-non-digit exploit. Again, this time, like last time, MySpace is doing a bad job of stripping out tags. This is the fifth time they’ve been hit by this exact same issue. MySpace should really consider hiring someone who knows how to write while loops. Until then they are vulnerable yet again. The trick is again simple:
<body onload<script=alert(‘xss’);> becomes: <body onload..=alert(‘xss’);> because they strip out the <script tag without recursively iterating over the same string to ensure they haven’t created another vector.
It’s look like they simply blacklisted again as the flaw is still there, but this particular string doesn’t work any more.
Like Forrest Gump might have once said, “Blacklist stripping is like a box of chocolates – you know what you’re going to get.” You never know what the data is going to end up looking like until you’re done stripping it, which is why you need to recursively go over the text over and over until you have found nothing. This is a hard lesson to learn I guess. Nice job, digi7al64!
Watch out MySpace.