[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Forwarding message vulnerability on Google Groups

To: full-disclosure@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxx
Subject: [Full-disclosure] Forwarding message vulnerability on Google Groups
From: n3td3v <xploitable@xxxxxxxxx>
Date: Fri, 16 May 2008 00:46:43 +0100

If joebloggs@xxxxxxxxxx is banned from a Google Group and
xploitable@xxxxxxxxx is registered with that group,
joebloggs@xxxxxxxxxx can subscribe to a mailing list such as
Full-Disclosure and start forwarding all messages xploitable@xxxxxxxxx
sends to that mailing list if xploitable@xxxxxxxxx is registered to
it, and directly post them to the Google Group joebloggs@xxxxxxxxxx is
banned from.

This is probably done by the banned joebloggs@xxxxxxxxxx setting up a
filter on Gmail Settings > Filter > Matches:
from:(xploitable@xxxxxxxxx)
Do this: Forward to (n3td3v@xxxxxxxxxxxxxxxx).

Severity of this issue is obviously critical and you should switch the
victim's registered (xploitable@xxxxxxxxx) e-mail address on a Google
Group to "moderate" as a work around, until Google Groups fixes this
vulnerability.

Google Inc. (GOOG) was notified simultaneously as this security
advisory was published to the wild.

http://finance.google.com/finance?q=NASDAQ:GOOG/

http://groups.google.com/

http://google.com/

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] ZDI-08-025: Symantec Altiris Deployment Solution Domain Credential Disclosure Vulnerability
Next by Date: Re: [Full-disclosure] Hey ISS/X-Force Dudez!!!!
Previous by thread: Re: [Full-disclosure] ZDI-08-025: Symantec Altiris Deployment Solution Domain Credential Disclosure Vulnerability
Next by thread: [Full-disclosure] Announcement: New Certification Offered
Index(es):
- Date
- Thread