lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Jul 5 19:57:44 2006 From: xploitable at gmail.com (n3td3v) Subject: Re: [WEB SECURITY] Cross Site Scripting in Google This one is a bogus... On 7/5/06, RSnake <rsnake@...cking.com> wrote: > Here's another one: > > http://www.google.com/url?sa=D&q=http://www.fthe.net Wrong! That redirection URL is doing exactly what its ment to do. The system is used when you post a URL on a Google Groups description for example. There is no exploit there, and it won't be fixed by Google, because theres nothing to fix. Try it for yourself. Create yourself a Google Group and put in a URL in the group description, and you will see your URL has been added to the end of www.google.com/url Likewise on Yahoo, Yahoo have rd.yahoo.com for exactly the same reason, to keep track of URLs posted by the public on their web applications. Google and Yahoo use the system, so they can store URLs on a database, where they have full control of URLs post by the public. Google and Yahoo are sick of people mentioning their URL redirection system on security lists. The system was designed to do what you're showing in your example, by default. Is designed for the only purpose you're showing everyone right now. There is no threat beyond what the design specification of the URL redirection web address is supposed to do. Please go away and only post _real_ disclosures for Google and Yahoo in future. n3td3v
Powered by blists - more mailing lists