...now i have no idea on whether this has been done before, but a little something i discovered yesterday after the myspace people decided to remove my flash music player. (seems that they have something agains using content from myflashfetish.com which is where my player is hosted) it's nothing spectacular really, just something i'd like to share.

The Code: as i said, i wanted to use an external player form myflashfetish.com as my music player to host more than one profile song and have a bit more functionality. so i logged on did the bits and got the code to use which was:

<center><embed src="http://myflashfetish.com/myflashfetish-mp3-player.swf?myid=1394802&f=1" menu="false" quality="best" scale="noscale" bgcolor="#ffffff" wmode="transparent" width="218" height="155" name="MyFlashFetish.com" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /></center>

The Problem: myspace removes all the little things she doesn't like, and the pasted code up like this:

<center><embed src="http://.../myflashfetish-mp3-player.swf?myid=1394802&f=1" menu="false" quality="best" scale="noscale" bgcolor="#ffffff" wmode="transparent" width="218" height="155" name="..." align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /></center>

The solution: Myspace is notorious for it's flaws in the "sanitation & filtering" department. first i thought of using the simple method of registering the url at tinyurl.com, thus concealing the flash url completely. but myspace was a step ahead and "http://tinyurl.com/*" became "http://.../*". yay...

...seems i needed a new option, so i tried a redirect exploit by changing the url to
"http://38.113.219.114/cgi-bin/ucj/c.cgi?url=h%74tp://www.my%66lashfetish.com/myflashfetish-mp3-player.swf%3Fmyid=1394802%26f=1"

results! it actually worked! the flash player now loaded with no problems whatsoever. now i have a flash player until myspace wishes to act on my email.

Hi,

that is really cool. I guess quite a lot of people kept searching for a solution to this problem.
Does myspace just remove url's that are in a blacklist or why haven't they removed "38.113.219.114"?
Shouldn't it be replaced by "...", too?
Maybe some further research would clear things up.

Nevertheless nice dicovery!

PS: How did you find the XSS at "http://38.113.219.114/"

i guess a bunch of legitimate websites could just put up a small page to filter content through..

if i were a myspace user i would probably use one of my other hosts, to host a little file
that looks sorta like this

<?
$whitelist=explode(",","http:// ...)
if($whitelist.contains($_REQUEST[url])) passthru(file($_REQUSET[url]));
?>

however i have no experience with myspace, or any other social networking ... it makes me shiver
further more my php syntax is very rusty but if you are willing to try i'm sure it's clear enough to understand my point

or perhaps just send out an 302 message with the correct address. (if that's possible cross site)then there is no xss

sounds to me it's inherently impossible to manage a blacklist at websites like myspace... it should probably whitelist or nothing ..

ow and btw i learned the hard way that that ip has an NSFW front page

good one rhican. i guess i should've warned you abut that ip. in my defense, that was (at the time) the first site i could find that had a working redirect service. i'm sure there are many SFW ones out there to play with though. but to comment on tbs's theory, yes, they only seem to have a blacklist of cetain words like <script>, javascript, ereg (etc) and some untrusted websites.

oh, and as an afterthought, the site admins didn't listen to my email. the hole is still wide open and available for exploit

wouldn't be the first time webmasters don't listen ...


like when a friend wanted to buy stuff from melanibooks.gr
(and thus would have trusted her creditcard details to the website)
which in my opinion justifies adding a few ' to the websites url to
see if it's half decent ...

while there is stuff like

http://www.melanibooks.gr/showproduct.asp?catid=359%20and%201=1

in there defence i must say they have an IDS with session snyping ..

http://www.melanibooks.gr/showproduct.asp?catid=359%20and%201=1 union select 1

but then again they must have cheaped out on the software or on the sysadmins
because you can foul it by doing this

http://www.melanibooks.gr/showproduct.asp?catid=359%20and%201=1 union/*anything this is an sql comment*/ select 1


btw is session sniping with http traffic not inherrently sensless...


i emailed them months ago... nothing

only thing that changed after month's that you couldn't login anymore with
username:' or '1
password: ' or '1

yes ok it's a bit offtopic but i have been meaning to disclose this just because it pisses me off how unsafe
some charlatans are with your details online ...

Well just pwn them and their eyes will be wide open

i'm not a pwn'ing kinda guy

the worst defacement i ever done was add a "." character for about a minute
just to make sure that i wasn't in a honeypot

just like rhican sayed, you'd be surprised on how many sys admins dont listen. However I realised that in some cases they just dont have any knowledgeble admins... MerchCO-online is one... and they lost a few credit card numbers/paypal numbers because a simple [' or '1] straight to the admin account... *fixed now i believe though... bout bloody time* . Paypal has a nice fraud check thing, and they do listen to holes, which they fix really quickly =)

rhican, it's been a while hasn't it?

I don't really understand your question.

however this link might be slightly relevant (although it looks a bit dodgy)
http://momby.livejournal.com/

Looks like a honeypot to me