[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Google is vulnerable from XSS attack
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Google is vulnerable from XSS attack
- From: n3td3v <xploitable@xxxxxxxxx>
- Date: Sat, 3 Dec 2005 04:36:47 +0000
Vendor: Google
Service: Groups
Issue: XSS in pending message page
Description: The http://groups.google.com/group/n3td3v/pendmsg page is
vulnerable from cross-site-scripting attack. This allows a malicious
user to take the owner or moderator cookie from the user. This can
then be used to access a groups administrative controls.
Scenario: If a group is moderating messages before allowing a post, a
malicious user can send a message to the vulnerable pendmsg page.
If a group is unmoderated, but Google's anti-spam technology suspects
a message is from a known spammer or phisher, the message goes to the
pendmsg page. A malicious spammer or phisher can send a message to the
vulnerable pendmsg page.
Reproduction: Setup a test group and send a carefully crafted script
to the pendmsg page.
Proof of concept: <a class=newlink
href="http://www.google.com/url?sa=D&q=http://www.google.com?<script>alert(document.cookie)</script>">
Remarks: This is my second Google disclosure in under a year. That
makes two vulnerabilities for Google I have discovered. Can I make it
a third? Maybe you can come back next year to find out. ;-)
First disclosure: December 18th 2004
Second disclosure: December 3rd 2005
Credit: n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/