Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable



On Wednesday 12 December 2007 11:27:28 Steven Adair wrote:
Glad to see we figured it out. :) Yes, "Cross Site Request Forgery" would
be the correct term referenced by the acronym in all of the replies
(subsequently also the first result in a normal Google query).

And there you have it: I can use Google and Wikipedia. ;)

I'm still
not quite sure what the big deal on the favicon stuff in terms of this
issue. So lets say you completely disabled favicons altogether. Now when
you visit the original PoC - it no longer works. However, if you simply
had a 302 or mod_rewrite rule for any image that you actually had written
into the source of your page, you could achieve the same result.

You are probably asking the wrong guy, but one of the comments made earlier in
this thread claimed that the favicon method bypasses Noscript protections.
Aside from XSS blocking, Noscript would eliminate IFRAMEs and most
Javascript. Would your technique bypass it?

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/