[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] www.google.com xss vulnerability Using mhtml
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] www.google.com xss vulnerability Using mhtml
- From: IEhrepus <5up3rh3i@xxxxxxxxx>
- Date: Wed, 26 Jan 2011 01:33:16 -0800
Long, long time ago, we heard an interesting legend is www.google.com
will Pay for its vulnerability,so we want to try ...
lucky,A vulnerability has been caught by my friend
PZ[http://hi.baidu.com/p__z], this vul is base on 《Hacking with mhtml
protocol
handler》[http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt]:
mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx
we are very happy,so we post it to security@xxxxxxxxxx for the legend
:)[2011/01/23].We got a reply soon [2011/01/24]:
---------------------------------------------------
Hi Pavel,
Nice catch! I’ve filed a bug internally and will keep you in the loop
as things progress.
Regards,
xxx- Google Security Team
--------------------------------------------------
but .....
-------------------------------------------------
Hi Pavel,
The panel has determined this doesn't qualify for a reward for 2 reasons:
1) A very close variant was publicly disclosed on 21 Jan:
http://www.wooyun.org/bugs/wooyun-2010-01199
2) Technically, it's not a bug in Google, it's really a big in IE.
Cheers,
xxx, Google Security Team
-----------------------------------------------
and Today we test the vul again ,it has been fixed .[2011/01/26]
Thus, we understand the unspoken rules of this, This is a football
game, the vulnerability is the ball , MS and GG are the players
----by superhei from http://www.80vul.com
hitest
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/