digg

Facebook Connect Join Digg About

MySpace Gets Wormed Again

hax3r.com Someone found another way to use javascript on myspace and using a modified version of Samy's original worm, did it again. Hooray for cross-site scripting! Poor Tom, when will he learn to stop using coldfusion?

Who dugg this? Made popular Nov 13, 2005

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

85 Comments

show profanity settings
expand all
  • foooey, on 10/12/2007, -1/+3post is a troll =
    cross site scripting has jack to do with the language the app is written in
    PHP is as vulnerable as CFML as is vulnerable as ASP etc etc
  • tjhanley, on 10/12/2007, -0/+2it isn't really a CF issue. it is that they allow you to put whatever you want into any text area, CSS, HTML, TEXT. they are probably only checking for keywords like script... they don't think about people putting blank spaces in the middle of their javascript. what he should do is ajax all the content that the users put into their textareas and use.

    currenttext=document.createTextNode(ajaxedContent);

    then setting the currenttext to the innerTEXT of the div or span (or whatever they are using)...

    mycurrent_cell=document.createElement("TD");
    currenttext=document.createTextNode(ajaxedContent);
    mycurrent_cell.appendChild(currenttext);
    row.appendChild(mycurrent_cell);

    if they are using tables.

    the textNode object doesn't allow any scripting in it. http://www.mozilla.org/docs/dom/domref/dom_doc_ref47.html

    learn the DOM Tom...

  • finalcut, on 10/12/2007, -0/+1It's funny that I keep seeing posts against ColdFusion and the only justification is "it blows". Have any of you used ColdFusion? Sure, it like all languages, has its' drawbacks - but to claim it sucks is just plain ignorant.

    Some points in its favor:
    1. it is very easy to learn
    2. it is very readable and thus potentially easy to maintain
    3. It compiles to Java Byte code - so if you're complaining about CF being slow, you're really complianing about Java being slow. If that is the case I suggest you learn how to actually setup a Java Application Server.
    4. You can build fairly complex apps very quickly once you're in the coding phase.
    5. Easiest language EVER establishing connections with a Database and iterating over the resultset.
    Some potential drawbacks to coldfusion
    1. people don't like the tag based syntax and wish it looked more like C or more like a scripting language (prehaps they should try CFScript then, you can accomplish 90% of all CF in CFSCRIPT).
    2. You have to pay for the server - this is probably what most of you are complaining about. It isn't free so it sucks. Use BlueDragon then, they offer a free CFML Server.

    I can't really think of anything else that folks might dislike about it because those two are all that anyone has ever told me.
  • inactive, on 10/12/2007, -0/+0fyre2012: if your code looks anything like that, I think you'll find that most languages will be a "BITCH." IMO, Coldfusion isn't a bitch at all.
  • pr0t3st, on 10/12/2007, -0/+0Aww..what is this animosity towards myspace??

    It has gotten me laid on numerous occasions(today for example) and I find new, kickass music all the time.

  • inactive, on 10/12/2007, -0/+0Awesome, Maybe now the entire Sony Corporation can go down. And thousand will be out of jobs. Awesome!
  • schroeder, on 10/12/2007, -0/+0Myspace is dumb if you're tryin to meet random dumb people like people do with aim and irc ect... but i just keep in touch with real-life friends and share pics to keep in touch, it was really helpful when i didn't have a phone for a year. Also it's useful to use as a band site if you arn't or can't afford a decent web designer... with all the automatic show listings, music player, friends list and simple layout it's much better than purevolume.
  • inactive, on 10/12/2007, -0/+0Sorry, that looks like a bug in Digg. It shouldn't have posted to this story. I have them both open in tabs.
  • tjhanley, on 10/12/2007, -0/+0finalcut. i've been certified in cf and i still think it sux. i use it daily, aswell as php, perl, rails... the app server is crud. i agree for RAD CF has it's pros but the actually server is a piece
  • finalcut, on 10/12/2007, -0/+0why is it a piece? I have used it, asp, rails, java, you name it over the past six years to develop web apps.
    The CF apps have all run fine, they have scaled well, and I can do just about anything I need to with CF.

    CF isn't perfect for everything (no language is) but I just don't see what the problem is with CF, the server or the language, that causes people to hate it so much (just like I don't see why so many CF developers dislike PHP).

    What kind of server problems have you had?
  • tjhanley, on 10/12/2007, -0/+0^actual
  • smartguy2045, on 10/12/2007, -0/+0No more embed though, right?
  • TheGeneral, on 10/12/2007, -0/+0Why does Myspace suck so much? Everyone posts..."Myspace Sucks", yet they give no reasons why. If it is about the emo kids, stay away from them. It's your choice. If it's spam, what email account that you have does not get spam? I see it as the most "customizable" social networking site. If you have something better...I'd like to see it.
  • Metal_Hurlant, on 10/12/2007, -0/+0Like many others have said, cross-site scripting has nothing to do with using ColdFusion.
    In this case, it's not caused by a lack of checking either: Myspace has plenty of checks to stop script injections.
    Yet it's not working.
    Why, you ask? It has to do with the way the checks are done.
    To stop harmful content, you can either use a "black list" of disallowed content, or you can use a "white list" of acceptable content.
    In the first case, anything that isn't on the black list is allowed through. That's what Myspace is doing, and that's why they're failing: It requires the coder to know the exact and complete list of possible bad content.
    As it happens, there are many many ways of running javascript in a web page, and it's not clear that there is even one person on earth that knows them all.

    The alternative? Use a white list of acceptable tags, and acceptable parameter contents. Be very careful with wildcards (although you will have to use a few.)
    Here, the risk won't be that script may run and unleash odd XSS worms, but that some advanced HTML/CSS coding may not work when submitted by your users.
    That probably wouldn't bother Myspace users much.
  • jimz, on 10/12/2007, -0/+0I never said it was a problem with coldfusion. I was just adding a little humor.
  • mrkoje, on 10/12/2007, -0/+0It looks like winxp with a 3rd party theme. Maybe... I haven't seen many vista previews. However, he is clearly using firefox browswer.
  • sayitaintjonas, on 10/12/2007, -1/+1What's everyone's problem with myspace anyway? Does no one else uses it to keep up with friends? I assume most people using their time to write worms have few friends anyhow. I mean, its not the best site ever made, but its convenient and a lot of people know about it so it makes finding old friends relatively easy.
    Thats right, I'm promyspace, flame away flamers.
  • MonkeyFit, on 10/12/2007, -0/+0I keep hearing all these people talking ***** about about MySpace. I have never been there, and from the sounds of it, don't plan on ever going there. And this worm thing is just hilarious.
  • QuorumCall, on 10/12/2007, -0/+0Is he running Vista in that screenshot?
  • Kingmichael, on 10/12/2007, -0/+0MySpace sucks butt.
  • Dabisu, on 10/12/2007, -0/+0LMAO, definately Kingmichael!
  • finalcut, on 10/12/2007, -0/+0i just read that first sentence and saying asp, rails, java.. doesn't really make much sense since I'm comparing apples to oranges since java is a languages, asp is more a platform, and rails is a framework. I guess that should have read:

    vb.net, c#, ruby, java..
  • esteban, on 10/12/2007, -0/+0Looks like he is using a shell, could be bblean -- it is definately not Vista.

    http://bb4win.sourceforge.net/bblean/
  • mikeruiz7, on 10/12/2007, -0/+0That kicks ass. I hate MySpace but I do like how easy it is for people to listen to your music...

    Other than that, worm away.
  • tjhanley, on 10/12/2007, -0/+0it isn't really a CF issue. it is that they allow you to put whatever you want into any text area, CSS, HTML, TEXT. they are probably only checking for keywords like
  • gamer31, on 10/12/2007, -0/+0Somone just post the working script.
  • reversial, on 10/12/2007, -0/+0More myspace 0wn4g3. Awesome.
  • inactive, on 10/12/2007, -0/+0fyre: you can block spammers by clicking X, don't respond to them :
  • diggnationdevon, on 10/12/2007, -0/+0lol Pwned
  • kobs, on 10/12/2007, -0/+0@your_mom:

    A girl was murdered by a guy she met on MySpace.

    http://www.myspace.com/doowop
  • hammerattack, on 10/12/2007, -0/+0Coldfusion is junk, but it has nothing to do with XSS attacks. The same crap would have worked on asp, php, or...*bleck*...perl.
  • fyre2012, on 10/12/2007, -0/+0first off: FRAGaLOT: Agree, myspace is trash. However... please ***** off and don't post your stupid free-ipod BS. Spammer.

    As for myspace being 'hacked' again, maybe if they had a little better input validation they'd have no problems. I'd have to know for sure how the js was executed, but if it's being sent to the servers there should be a script that goes something like this: (speaking generally)
    if {
    script != format we like;
    don't upload;
    else {
    upload
    }}

    It's more to do with checking what goes through their servers, and not about what architecture it's running. Yah, cfm is a BITCH, and windows servers are about as smart as using, well, windows ;)

    I don't think it'd be a good thing for someone to post the code or a link to it from here. Could make Digg liable in some way (i know, we don't think so, but think like a greedy scummy lawyer for a sec..)

    It'd be neet to check out tho.

  • j_bellone, on 10/12/2007, -0/+0That could be the single worst web design I have ever seen. What a ***** ***** job. Get a new website buddy.
  • scottm13, on 10/12/2007, -0/+0so if one of us were stupid enough to click his myspace and click on one of his blogs and get their myspace owned... how would one go about fixing it?
  • nytechy, on 10/12/2007, -0/+0haha, I like Typepad. Nice..clean...interface
  • Zedtech, on 10/12/2007, -0/+0The sad part is, when I saw the domain I immediately knew who this was.

    Dude, MX has finally made a name for himself... sad. Nobody here knows he's a 15 year old kid who tries to be hardcore for writing AIM Viruses.

    Good job on MX finally making a name for himself though - I Nearly crapped my pants when I saw it was linked to his site.
  • poobread, on 10/12/2007, -0/+0haha. He must've been getting a lot of ims.
  • your_mom, on 10/12/2007, -0/+0"Good to see that you are up on current events. You're an idiot."
    well, i never saw it, jeez. thanks for pointing it out. then y havent they shut down tha tpieceof ***** they call a website???
  • Rain, on 10/12/2007, -0/+0It looks his theme is BlackMesa?
  • brosner, on 10/12/2007, -0/+0doesn't myspace e-mail for each friend request? hehehe
  • inactive, on 10/12/2007, -0/+0Coldfusion rules. Way to ***** on it for no reason.
  • N3LDAN, on 10/12/2007, -0/+0i own3d it a while ago, they allwo flash. flash allows javascript. no way to block that without removing flash. didn't make it replicatin gthough, don't want fox to bone me.
  • Kootaphor, on 10/12/2007, -0/+0Yeah, I think a lot of the conflict here is hardcore code heads vs. regular people who just want the thing to work.
  • fyre2012, on 10/12/2007, -0/+0Shii: you're right, but i wanted to make sure s/he knew that spamming isn't cool. If no one tells them, how will they know! ;)
  • jimz, on 10/12/2007, -0/+0Mx has put privacy on and will not accept any more IMs from people not on his buddylist. :)
  • spoonzor, on 10/12/2007, -0/+0"well, i never saw it, jeez. thanks for pointing it out. then y havent they shut down tha tpieceof ***** they call a website???"

    If someone gets stabbed do you blame the knife?
  • foreplay, on 10/12/2007, -0/+0wasnt the original hole because of poor handling of code in internet explorer. I remember reading myspace filters the word javascript so he split it up into 2 by javan script. its very hard for myspace to deal with so it looks like they are limiting the number of possible friends you can have to stop the spread of these worms.

  • rayde, on 10/12/2007, -0/+0the people who are hating myspace obviously aren't meeting interesting people through it.

    i can deal with an embeded WMV file here and there if i am also introduced to somebody interesting to meet up with for a show or something.
  • poobread, on 10/12/2007, -0/+0Oh man, i used go to to a forum where this kid was a member.

    His Aim sn is "Mx1".
  • bhaugh, on 10/12/2007, -0/+0Dude, don't forget that a lot of businesses need to prioritize rapid development over quality development.

    Do you think MySpace falls under that category? (I do.)

    Also, all you bashers/proponents of web programming languages, remember that in the end it has nothing to do with the language--it's how you use it.

    Quit spreading FUD and quantify your baseless opinions.

    "Server is a piece" -- how? What? You lost the link to the forum post that told you why?
  • Fetching more discussions...
    Show 51 - 82 of 82 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.