Its actually an IE error, IE will allow javascript to be run within css script tags, mozilla won't. The writer split the word javascript across two lines to fool myspace's scrubbing code and then used XMLHTTPRequest.
CFMX7.01 wouldn't have helped. -----Original Message----- From: Larry C. Lyons [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 9:58 AM To: CF-Community Subject: Re: Cross-Site Scripting Worm Hits MySpace interesting small hack. I wonder if it would have worked if they used CFMX 7.01. larry On 10/14/05, Kevin Graeme <[EMAIL PROTECTED]> wrote: > http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/ > 1129232391 > > "One clever MySpace <http://www.myspace.com/> user looking to expand > his buddy list recently figured out how to force others to become his > friend, and ended up creating the first self-propagating cross-site > scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 > million friends on the popular online community." > > "To do this without a user's knowledge, the code utilized XMLHTTPRequest" > > Whee. > > -Kevin > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| All-in-one: antivirus, antispam, firewall for your PC and PDA. Buy Trend Micro PC-cillin Internet Security http://www.houseoffusion.com/banners/view.cfm?bannerid=60 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:177075 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
