lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 29 Jan 2013 11:03:21 +0000
From: antisnatchor <antisnatchor@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: ANTRAX <antrax.bt@...il.com>, Hispabyte HQH <fdkaos2000@...oo.es>,
	vuln@...unia.com, submissions@...ketstormsecurity.com,
	submit@...ecurity.com, full-disclosure@...ts.grok.org.uk,
	mr.inj3ct0r@...il.com, vuldb@...urityfocus.com, el-brujo@...acker.net
Subject: Re: [0 Day] XSS Persistent in Blogspot of Google

Agree with Michal,

at the end you achieve code execution with an XSS as well, it's just in
the DOM.
Depending on the attack surface, browser type and so on, this can be
devastating.

I bet you remember the XSS on Amazon EC2 web interface, which combined
with XSRF lead to stealing x.509 certificates and so on :D

Cheers
antisnatchor

> ------------------------------------------------------------------------
>
> 	Michal Zalewski <mailto:lcamtuf@...edump.cx>
> January 27, 2013 7:17 PM
>
>
>     OGMMM WTFF 0DAY XSS
>     Sorry, getting a bit tired of these.
>
>
> Well, the world is changing. You can probably do a lot more direct
> damage with a (legit) XSS in a high-value site than with a local
> privilege escalation in sudo.
>
> XSS reports are less actionable for the average reader, but full
> disclosure is probably still beneficial, in that it provides data
> points about the types of flaws a particular vendor happens to have,
> and the speed and quality of the deployed fixes.
>
> Of course, many of the XSS reports in knorr.com <http://knorr.com> and
> similarly exciting destinations are zzzzzzzzzz...
>
> /mz
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	Elfius <mailto:elfius@...il.com>
> January 25, 2013 11:56 PM
>
>
> OGMMM WTFF 0DAY XSS
>
> Sorry, getting a bit tired of these.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	ANTRAX <mailto:antrax.bt@...il.com>
> January 25, 2013 3:50 PM
>
>
> Gynvael Coldwind, I know this and I posted a reply in Underc0de about
> that.
>
> http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/
>
> It isn't a critical bug but, despite that, this shouldn't happen..
>
> Thanks all!
>
> ---
> Best Regards
> *ANTRAX*
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	Gynvael Coldwind <mailto:gynvael@...dwind.pl>
> January 25, 2013 1:24 PM
>
>
> Hey ANTRAX,
>
> JZ is correct, even in the template view the script is still executed
> only in the *.blogspot.com <http://blogspot.com> context, and not in
> the context of blogger.com <http://blogger.com> - look at your first
> screenshot - it's clearly said there that the alert box popped up on
> *.blogspot.com <http://blogspot.com>.
>
> It's good to always alert(document.domain) to be sure of the context
> in which the script is executed.
> As you know, script executing in the context of the cookieless
> *.blogspot.com <http://blogspot.com> cannot interact / or steal
> cookies from blogger.com <http://blogger.com> domain.
>
> So, to repeat what JZ already said - this is by design, it's not a
> bug, and no, you cannot attack an admin this way (unless you found
> some other way to execute that script in the context of blogger.com
> <http://blogger.com> - in such case try reporting it again).
>
> Cheers,
> Gynvael Coldwind
>
>
>
>
>
>
> -- 
> gynvael.coldwind//vx
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> 	ANTRAX <mailto:antrax.bt@...il.com>
> January 22, 2013 12:11 AM
>
>
> I know JZ, but this vulnerability is in the post and no in the template.
> And this could be generated by blogger and affect to administrator!
> The blogger can edit, but haven't admin. If the blogger post some
> script, this affect to administrator.
>
>
> ---
> Saludos Cordiales
> *ANTRAX*
> www.antrax-labs.org <http://www.antrax-labs.org>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

Download attachment "compose-unknown-contact.jpg" of type "image/jpeg" (770 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ