[WEB SECURITY] Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google

Javor Ninov drfrancky at securax.org
Thu Jul 6 00:59:45 EDT 2006



RSnake wrote:
> 
> Just for the record, I should clarify. Google was not notified of this
> exploit prior to full disclosure. As I said, they are notoriously slow
> (or completely delinquent) in fixing these issues historically. If you
> need proof click here to see four redirect issues disclosed nearly 6
> months ago that are still not fixed.
> 
> http://seclists.org/lists/webappsec/2006/Jan-Mar/0066.html
> 
> Here's another one:
> 
> http://www.google.com/url?sa=D&q=http://www.fthe.net
> 
> Typically I don't believe in full disclosure as a release methodology
> (for instance, if I found a remote vulnerability in Microsoft, I
> wouldn't disclose that without giving Microsoft months to release a
> patch as they have taken their patching process very seriously as of
> late and their responsibility in this matter has been far improved).
> Either Google was not convinced when they were used as a phishing relay
> last time, or they do not take this seriously.  Either way, it takes all
> but a few days to patch these issues in a website, QA them and releast
> them, and Google has not done so, making contacting the vendor a useless
> excersize to date, in my opinion.
> 
my opinion is that full disclosure is not for vendors .. it's for users.
full disclosure is for us to know how to react on certain threads. i
personally don't care about the vendors , although my company is a
vendor itself . we also produce software and we also care about security
of our software. but i expect users to post to security groups instead
of mailing me personally. If the vendor cares about his users he should
watch the security groups.

I believe in FULL disclosure
And i think this is the better way.

--
Javor Ninov aka DrFrancky
securitydot.net

> On Wed, 5 Jul 2006, bugtraq at cgisecurity.net wrote:
> 
>> Did you even bother to email them and let them know? Being that
>> they're still vulnerable probably not....
>>
>> - z
>>
>>>
>>>
>>> Google is vulnerable to cross site scripting attacks.  I found a
>>> function built off their add RSS feed function that returns HTML if a
>>> valid feed is found.  It is intended as an AJAXy (dynamic JavaScript
>>> anyway) call from an inline function and the page is intended to do
>>> sanitation of the function.  However, that's too late, and it returns
>>> the HTML as a query string, that is rendered, regardless of the fact
>>> that it is simply a JavaScript snippet.
>>>
>>> Here is the post that explains the whole thing:
>>>
>>> http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
>>>
>>>
>>>
>>> -RSnake
>>> http://ha.ckers.org/
>>> http://ha.ckers.org/xss.html
>>> http://ha.ckers.org/blog/feed/
>>>
>>> ----------------------------------------------------------------------------
>>>
>>> The Web Security Mailing List:
>>> http://www.webappsec.org/lists/websecurity/
>>>
>>> The Web Security Mailing List Archives:
>>> http://www.webappsec.org/lists/websecurity/archive/
>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>
>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>>
>> Securing a web application goes far beyond testing the application using
>> manual processes, or by using automated systems and tools. Watchfire's
>> "Web Application Security: Automated Scanning or Manual Penetration
>> Testing?" whitepaper examines a few vulnerability detection methods -
>> specifically comparing and contrasting manual penetration testing with
>> automated scanning tools. Download it today!
>>
>> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
>> --------------------------------------------------------------------------
>>
>>
> 
> 
> -R
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060706/51fa2b7c/attachment.asc>


More information about the websecurity mailing list