lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed Jul  5 19:57:44 2006
From: xploitable at gmail.com (n3td3v)
Subject: Re: [WEB SECURITY] Cross Site Scripting in
	Google

This one is a bogus...

On 7/5/06, RSnake <rsnake@...cking.com> wrote:
> Here's another one:
>
> http://www.google.com/url?sa=D&q=http://www.fthe.net

Wrong! That redirection URL is doing exactly what its ment to do. The
system is used when you post a URL on a Google Groups description for
example. There is no exploit there, and it won't be fixed by Google,
because theres nothing to fix. Try it for yourself. Create yourself a
Google Group and put in a URL in the group description, and you will
see your URL has been added to the end of www.google.com/url

Likewise on Yahoo, Yahoo have rd.yahoo.com for exactly the same
reason, to keep track of URLs posted by the public on their web
applications.

Google and Yahoo use the system, so they can store URLs on a database,
where they have full control of URLs post by the public.

Google and Yahoo are sick of people mentioning their URL redirection
system on security lists. The system was designed to do what you're
showing in your example, by default. Is designed for the only purpose
you're showing everyone right now.

There is no threat beyond what the design specification of the URL
redirection web address is supposed to do.

Please go away and only post _real_ disclosures for Google and Yahoo in future.

n3td3v

Powered by blists - more mailing lists