RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting inGoogle

For those who didn't read earlier: This isn't a bug, it's a feature.

The URL specified is DESIGNED to redirect, e-mailing Google about it is
simply going to make you look stupid.

Ed

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Javor
Ninov
Sent: 06 July 2006 06:00
To: RSnake
Cc: full-disclosure@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx;
bugtraq@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx;
bugtraq@xxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting
inGoogle



RSnake wrote:

Just for the record, I should clarify. Google was not notified of this

exploit prior to full disclosure. As I said, they are notoriously slow

(or completely delinquent) in fixing these issues historically. If you

need proof click here to see four redirect issues disclosed nearly 6
months ago that are still not fixed.

http://seclists.org/lists/webappsec/2006/Jan-Mar/0066.html

Here's another one:

http://www.google.com/url?sa=D&q=http://www.fthe.net

Typically I don't believe in full disclosure as a release methodology
(for instance, if I found a remote vulnerability in Microsoft, I
wouldn't disclose that without giving Microsoft months to release a
patch as they have taken their patching process very seriously as of
late and their responsibility in this matter has been far improved).
Either Google was not convinced when they were used as a phishing
relay last time, or they do not take this seriously. Either way, it
takes all but a few days to patch these issues in a website, QA them
and releast them, and Google has not done so, making contacting the
vendor a useless excersize to date, in my opinion.

my opinion is that full disclosure is not for vendors .. it's for users.
full disclosure is for us to know how to react on certain threads. i
personally don't care about the vendors , although my company is a
vendor itself . we also produce software and we also care about security
of our software. but i expect users to post to security groups instead
of mailing me personally. If the vendor cares about his users he should
watch the security groups.

I believe in FULL disclosure
And i think this is the better way.

--
Javor Ninov aka DrFrancky
securitydot.net

On Wed, 5 Jul 2006, bugtraq@xxxxxxxxxxxxxxx wrote:

Did you even bother to email them and let them know? Being that
they're still vulnerable probably not....

- z



Google is vulnerable to cross site scripting attacks. I found a
function built off their add RSS feed function that returns HTML if
a valid feed is found. It is intended as an AJAXy (dynamic
JavaScript
anyway) call from an inline function and the page is intended to do
sanitation of the function. However, that's too late, and it
returns the HTML as a query string, that is rendered, regardless of
the fact that it is simply a JavaScript snippet.

Here is the post that explains the whole thing:

http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability
-in-google/



-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

--------------------------------------------------------------------
--------

The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



---------------------------------------------------------------------
----
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application
using manual processes, or by using automated systems and tools.
Watchfire's "Web Application Security: Automated Scanning or Manual
Penetration Testing?" whitepaper examines a few vulnerability
detection methods - specifically comparing and contrasting manual
penetration testing with automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008
Vmm
---------------------------------------------------------------------
-----




-R

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
    ... Typically I don't believe in full disclosure as a release methodology ... Either Google was not convinced when they were used as a phishing relay ... them, and Google has not done so, making contacting the vendor a useless ... we also produce software and we also care about security ...
    (Full-Disclosure)
  • RE: Penetration test of 1 IP address
    ... while a penetration test is just getting access to things you ... It's not a security audit -- they're white-box jobs, ... SInce there is a web site, ... Google that as well for names (if you don't ...
    (Pen-Test)
  • [Full-disclosure] RE: Full-Disclosure Digest unsubscribed
    ... >Using XP SP2s Internet Explorer, in Google, i used the following search ... >When the results return from google a trojan comes along as well, ... >You can find Greyhats Security at its old address, ... >> detection, please download the extra.dat files below which will correct ...
    (Full-Disclosure)
  • Re: [OT] "Pre-announcement" of Python-based "computing appliance" project.
    ... removing background noise such as file extensions? ... after beating up their customers over the head with ... job security, but at what price in loss of data and privacy. ... No more trying to file things into folders, Google ...
    (comp.lang.python)
  • Re: Re(2): Possible new virus?
    ... >in the machine he had on hand, inspected the fan, and found it to be ... >I could think of: google. ... I'm not anywhere near a security expert, ... Captus Networks ...
    (Security-Basics)