[Full-disclosure] Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities



Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities

I. Background:
Google Docs is an online application which makes possibile to "Create and
share your work online". You can use it to create Documents, Presentations,
Spreadsheets and Forms.


II. Description:
Multiple cross site scripting vulnerabilities were identified in Google
Docs. A remote attacker could write a malformed document and invite, through
Google Docs sharing option, other users to see it in order to obtain their
cookies. It's also possible to public this malformed document and send its
link around the web.


III. Details:
Google Docs makes possible to create a new document. When a user creates a
new document he has the possibility to change its html code through the Edit
Html option. An attacker can make a malformed document using decimal HTML
entities (without semicolons) and hexadecimal entities (with semicolons) to
bypass antixss filters.

Example:
<IMG SRC="javascript&#010:alert('test');"> (decimal HTML entity)
<IMG SRC="javascript&#x0A;:alert('test');"> (hexadecimal HTML entity)

Please note: IMG tag isn't the only affected, it's just an example.

The attacker then will save his job and can share this document with someone
else or send the document link to the victim to obtain his cookie.


IV. Vendor Response:
Google has been informed and has deployed a fix for these vulnerabilities.

V. Disclosure timeline:
23/08/08 - Vulnerabilities discovered
25/08/08 - Google informed
25/08/08 - Automatic reply from Google received
24/09/08 - Ask Google for updates
25/09/09 - Google fixed all vulnerabilities submitted


Regards
Alfredo Melloni
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities
    ... Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities ... Google Docs is an online application which makes possibile to "Create and share your work online". ... Multiple cross site scripting vulnerabilities were identified in Google Docs. ...
    (Bugtraq)
  • Re: OT - html code SEARCH ENGINE ?
    ... teo wrote: ... find such specific, keyword instances. ... how/where can i put some html code inside my page, ... by using Google (or others search ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: OT - html code SEARCH ENGINE ?
    ... "teo" wrote in message ... how/where can i put some html code inside my page, ... by using Google (or others search ... Chances of finding a snippet of code containing "maradona.jpg" are very ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Pubmed modifications, was "Never Say Never"
    ... All of the standard search modifiers to hone in on a specific set of ... results work as in the full google. ... For example in the google I modified the html code so 100 results are given ... text entry field, removing unneeded links, having the text entry field be ...
    (sci.med.nutrition)
  • Re: Mac Client Withdrawal
    ... we've made the decision to withdraw our Mac Beta Client. ... storefront for Google Apps and services that is being announced today. ... synchronize their Microsoft Office Word, Excel, and PowerPoint, JPEG, ZIP, ... Adobe Acrobat PDF and other files with Google Docs directly. ...
    (comp.sys.mac.advocacy)