freecodesource.txt

`Freecodesource.com is a distributor of myspace profile mods and general crapola.  
They provide an swf file which allows a myspace user to pop an alert  
box on profile page load, with custom text; the text is extracted from  
the url of the swf file, then used as a get parameter ('what') to the  
url http://www.freecodesource.com/pages/myspacegenerators/welcome.php  
which returns a script element containing the customized alert.  
The popup code bypasses Myspace's filters by being loaded into a  
common named iframe ('up_launchIC') on myspace pages, using the  
'target' parameter of the actionscript method getURL().  
This can't do anything interesting, since the code used to create the  
alert is outside of the myspace.com domain and is therefore subject to  
cross-domain restrictions; at most you can navigate to one page using  
the browser's security credentials (location.reload).  
  
The XSS is in welcome.php; by closing the script tag in the 'what'  
parameter and injecting your own, you can conceivably act on the  
freecodesource.com domain using the browsing user's credentials (I  
have XHR in mind):  
http://www.freecodesource.com/pages/myspacegenerators/welcome.php?what=%22);%3C/script%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E  
  
I would like to thank the monkeys at freecodesource.com for stealing  
this technique from me (which is why I looked for the xss in the first  
place), and for polluting myspace with all of their crap. Good luck,  
monkeys.  
  
"I hate to advocate drugs, alcohol, violence or insanity to anyone,  
but they've always worked for me." HST  
  
`