[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Flaw in google redirection url

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Flaw in google redirection url
From: Keepp the secret <keep.the.secret.secret@xxxxxxxxx>
Date: Mon, 13 Aug 2007 17:36:07 +0200

Hy,

there is a flaw in a google redirection url that can allow aredirection on any website from an url begining by http://www.google.com...

Here is the link:
http://www.google.com/url?q=http://whmt.blogspot.com/&sa=D&sntz=1&usg=1'

This link will redirect you on my blog(http://whmt.blogspot.com/).(It's safe)The flaw is in the variable usg that you can corrupt by writingusg=1'. It will allow any redirection.(And could be used for phishing)

See you soon.
Clement.
-_WHMT_-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] BLOGGER XSS VULNERABILITY
Next by Date: Re: [Full-disclosure] 0day
Previous by thread: Re: [Full-disclosure] DEFCON 15 and Blackhat 2007 presentations iso CDs ?
Next by thread: Re: [Full-disclosure] 0day
Index(es):
- Date
- Thread