[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml



Not a google vuln.
Hunt down MSFT to pay for your bug.
Oh wait they dont pay for free research.. 0noz, you wont get any candy !

2011/1/27, IEhrepus <5up3rh3i@xxxxxxxxx>:
> Security is a general,Many security issues are composed of many
> different vulnerabilities of different factory.
>
> like " mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx " this vul
>
> ----------------------------------------------------------------
> so we come back this vul need two Conditions
> 1.www.google.com app don't filter the CRLF
> 2.IE support mhtml protocol handler to render the mhtml file format,
> and this is the why mhtml: is designed
> --------------------------------------------------------------
>
> Both are indispensable. so google's vul is  that don't take into
> account the security implications using mhtml,
>
> the MS vul is that "it does not honor Content-Type and related headers
> (or even "nosniff")." like MZ saiy
>
> GG and MS ,both are vul...
>
> in addition, if MS saiy this is mhtml: 's original function, So google
> is very dangerous to the user who using IE
>
> Even if MS fixed it. how about the google users who do not have time
> to upgrade IE ?
>
> ----by superhei
> hitest
>
>
>
> 2011/1/26 Michal Zalewski <lcamtuf@xxxxxxxxxxx>:
>>> 1.www.google.com app don't filter the CRLF
>>
>> This is not strictly required; there are other scenarios where this
>> vulnerability is exploitable.
>>
>>> 2.IE support mhtml protocol handler to render the mhtml file format,
>>> and this is the why mhtml: is designed
>>
>> The real problem is that when mhtml: is used to fetch the container
>> over an underlying protocol, it does not honor Content-Type and
>> related headers (or even "nosniff").
>>
>> /mz
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/