lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 Jan 2013 22:11:35 -0200
From: ANTRAX <antrax.bt@...il.com>
To: Jakub Zoczek <zoczus@...il.com>
Cc: Hispabyte HQH <fdkaos2000@...oo.es>, vuln@...unia.com,
	submissions@...ketstormsecurity.com, vuldb@...urityfocus.com,
	submit@...ecurity.com, full-disclosure@...ts.grok.org.uk,
	mr.inj3ct0r@...il.com, el-brujo@...acker.net
Subject: Re: [0 Day] XSS Persistent in Blogspot of Google

I know JZ, but this vulnerability is in the post and no in the template.
And this could be generated by blogger and affect to administrator!
The blogger can edit, but haven't admin. If the blogger post some script,
this affect to administrator.


---
Saludos Cordiales
*ANTRAX*
www.antrax-labs.org


2013/1/21 Jakub Zoczek <zoczus@...il.com>

> Hi,
>
> *Execution of owner-supplied JavaScript on Blogger:* Blogger users are
> permitted to place custom JavaScript in their own blog templates and blog
> posts; our take on this is that blogs are user-generated content, not
> different from any third-party website on the Internet. Naturally, for your
> safety, we do employ spam and malware detection technologies - but we
> believe that the flexibility in managing your own content is essential to
> the success of our blogging platform.
>
> *Therefore, the ability to execute owner-supplied scripts on your own
> blog is not considered to be a vulnerability. That being said, the ability
> to inject arbitrary JavaScript onto somebody else’s blog would likely
> qualify for a reward!
>
> *Source <http://www.google.com/about/appsecurity/reward-program/>*
> *
>
>
> Peace,
> JZ
>
>
> On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX <antrax.bt@...il.com> wrote:
>
>> Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org
>> Today, I going to shared with you about XSS in blogger. This is a very
>> simple, but isn´t fix yet..
>> This bug could be exploited by bloggers without administrator permissons.
>>
>> Steps to reproduce the XSS:
>>
>> 1.- Create a new post in the blog and insert some script
>>
>> [image: Imágenes integradas 1]
>>
>> 2.- When the administrator enter in the administration panel in
>> "templates" section, blogger automatically executed the script, because
>> blogger have a mini-preview in "Ahora en el blog", then execute the script
>>
>> [image: Imágenes integradas 2]
>>
>> 3.- Ready! the script has been executed!
>>
>> [image: Imágenes integradas 3]
>>
>> Also, you can steal cookies!
>>
>> [image: Imágenes integradas 4]
>>
>> I reported to google about it, but they not fixed yet.
>>
>> Kind regards partners!
>>
>> *ANTRAX*
>>
>
>

Content of type "text/html" skipped

Download attachment "xss2.png" of type "image/png" (121499 bytes)

Download attachment "Blogger XSS.png" of type "image/png" (240406 bytes)

Download attachment "xss1.png" of type "image/png" (30859 bytes)

Download attachment "xss4.png" of type "image/png" (31412 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ