lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fdb3980a0512210800h13a10f20h83cab9d43942a59c@mail.gmail.com>
Date: Wed Dec 21 16:00:20 2005
From: mohit.muthanna at gmail.com (Mohit Muthanna)
Subject: XSS vulnerabilities in Google.com

I thought I qualified my response well enough to prevent any
ambiguities, but I guess I have to try again.

> > Sure, but "google != howardsblog.com". A large part of the population
> > (including myself) relies on Google's various services for day-to-day
> > use. I sure as hell would not feel comfortable knowing that I'm using
> > a service that can potentially leak my information.
>
> i'm not talking about some shitty site that noone knows, but a lof of big websites have
> such vulnerabilities.

And they should be disclosed. Plain and simple.

> > That's quite a blanket statement to make. I'm sure a few people in the
> > "security community" would like to know that there exists a
> > vulnerability in a Google service.
>
> yeah maybe but if we end up posting about every site that offers services to users
> and has xss issues then this list would be reciving a flood of mails :P

That's called full-disclosure. It's the point of this list. It keeps
(or attempts to keep) service providers, software companies, and the
"security community" on their toes.

> its not hard to test for xss, so if you are really so afraid of it go test it yourself and
> notify the website owner.

I don't have the time for it, nor do I care for it. I rely on this and
other lists to keep me informed.

> > No. But a site need not be audited to discover a bug.
>
> ah ok so you think illegal activity is the way to go ?

Where did you get that impression? Let me rephrase for clarity:

No it is not legal. But a bug can be discovered by other means than
auditing. Like say, by simply using the service.

> > XSS can do a lot of harm. A compromised administrator account is
> > generally a compromised server. There are some good XSS resources on
> > the web you can read up on.
>
> no as they dont rely on /etc/passwd users but have their own database usually
> via mysql or so and a compromised admin user on some webinterface isnt always
> going to end up in compromise of the whole server unless the admin is stupid
> enough to use the same passwords for root and the webbased software.

That isn't outside the realm of possibility.

Again, you missed my qualifier: "generally".

It is quite likely that once a determined hacker has admin priviliges
on "some webinterface", he will eventually find a way to own the box.
Not "always" but "quite likely".

FYI, /etc/passwd is not the only way one can gain root. Larger
services don't even use /etc/passwd.

There's more than one way to skin a cat.

> in most cases this will only end up in control of the web parts i.e. some forum.
> i agree that this is a problem, but its still not resulting in root access on the shell.

How do you know? Have you worked with every single web application
that exists in the universe?

In any case, even if it doesn't result in gaining root, don't you
think that it is serious? If an XSS vulnerability was found in Flikr,
or del.icio.us, or basecamp, or any other online service, and it lead
to "control of the web parts", would you be comfortable using their
services?

What if they were paid services? Then does is qualify for full-disclosure?

> oh and i dont have to read about it so keep your sarcasm to yourself.

So then you agree that a XSS vulnerability is serious, and should be disclosed.

> > Then, my friend, you have discovered a bug.
>
> mhm sure, imagine you find a DoS in your precious google, then you would take them
> down and you really belive they would thank you for that ?
>  you would be raided in no time.
> you think they would belive you that you did it only for a good cause ? yeah right...

If I found it during the course of my using the service, sure. Why not?

I've developed online services before, and I've had bugs reported.
Contrary to what you may think,  instead of  "calling the feds", I try
to fix the problem as soon as I can. I'm also glad it was reported by
a user, as opposed to being exploited by a hacker.

> > "There are 10 types of people. Those who understand binary, and those
> > who don't."
>
> you dont...

Very classy.

--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ