[NEWS] Google.com UTF-7 XSS Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Google.com UTF-7 XSS Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Two XSS vulnerabilities were identified in the Google.com website, which
allow an attacker to impersonate legitimate members of Google's services
or to mount a phishing attack. Although Google uses common XSS
countermeasures, a successful attack is possible, when using UTF-7 encoded
payloads.

DETAILS

Google's URL redirection script:
The script (http://www.google.com/url?q=...) is normally used for
redirecting the browser from Google's website to other sites.

For example, the following request will redirect the browser to
http://www.watchfire.com:
http://www.google.com/url?q=http://www.watchfire.com

When the parameter (q) is passed to the script with illegal format (The
format seems to be: http://domain), a "403 Forbidden" page returns to the
user, informing that the query was illegal. The parameter's value appears
in the HTML returned to the user.

If http://www.google.com/url?q=USER_INPUT is requested, the text in the
"403 Forbidden" response would be:
"Your client does not have permission to get URL /url?q=USER_INPUT from
this server."

The server response lacks charset encoding enforcement, such as:
* Response headers: "Content-Type: text/html; charset=[encoding]".
* Response body: "<meta http-equiv="Content-Type" (...)
charset=[encoding]/>".

Google's 404 NOT FOUND mechanism:
When requesting a page which doesn't exist under www.google.com, a 404 NOT
FOUND response is returned to the user, with the original path requested.

If http://www.google.com/NOTFOUND is requested, the following text appears
in the response:
"Not Found The requested URL /NOTFOUND was not found on this server."

The server response lacks charset encoding enforcement, such as:
* Response headers: "Content-Type: text/html; charset=[encoding]".
* Response body: "<meta http-equiv="Content-Type" (...)
charset=[encoding]/>".

XSS vulnerabilities:
While the aforementioned mechanisms (URL redirection script, 404 NOT
FOUND) escape common characters used for XSS, such as <> (triangular
parenthesis) and apostrophes, it fails to handle hazardous UTF-7 encoded
payloads.

Therefore, when sending an XSS attack payload, encoded in UTF-7, the
payload will return in the response without being altered.

For the attack to succeed (script execution), the victims browser should
treat the XSS payload as UTF-7.

IE charset encoding Auto-Selection:
If 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds a UTF-7
string in the first 4096 characters of the response's body, it will set
the charset encoding to UTF-7 automatically, unless a certain charset
encoding is already enforced.

This automatic encoding selection feature makes it possible to mount UTF-7
XSS attacks on Google.com.

Solution:
Google solved the aforementioned issues at 01/12/2005, by using character
encoding enforcement.


ADDITIONAL INFORMATION

The information has been provided by
<mailto:security-research@xxxxxxxxxxxxx> Yair Amit (Watchfire Research).



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: [Full-disclosure] XSS vulnerabilities in Google.com
    ... XSS will always remain part of the Full-Disclosure list if little ... > are we starting to post vulnerabilities in specific websites now rather than ... when using UTF-7 encoded payloads. ... > The server response lacks charset encoding enforcement, ...
    (Full-Disclosure)
  • [VulnWatch] XSS vulnerabilities in Google.com
    ... XSS vulnerabilities in Google.com ... Although Google uses common XSS countermeasures, a successful attack ... when using UTF-7 encoded payloads. ... The server response lacks charset encoding enforcement, ...
    (VulnWatch)
  • XSS vulnerabilities in Google.com
    ... XSS vulnerabilities in Google.com ... Although Google uses common XSS countermeasures, a successful attack ... when using UTF-7 encoded payloads. ... The server response lacks charset encoding enforcement, ...
    (Bugtraq)
  • [REVS] DOM Based Cross Site Scripting
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... We all know what Cross Site Scripting (XSS) is, ... vulnerability wherein one sends malicious data (typically HTML stuff with ... But there s also a third kind of XSS attacks - the ones that do not rely ...
    (Securiteam)
  • [UNIX] TTT-C Multiple Cross-Site Scripting
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... "The World's Most Advanced Free C Traffic Trading Script. ... Some examples of XSS bugs in the 'Links' panel are provided: ... An example analysis of the IP Logs panel reveals that the IP address can ...
    (Securiteam)