lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <BAY19-DAV3D019A8F168781224282BD9310@phx.gbl>
Date: Wed Dec 21 21:25:57 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: XSS vulnerabilities in Google.com

i see no "n3td3v" credits here... further, i cant concieve of the fact that you would even know what UTF-7 encoding is.
IMO all you have ever done is notice weird behavior when info is pulled into your Google group ( like your 1st post about google groups about 9 months ago or so ) from other sources ( or replies ). XSS can be bad or benign depending on if it is persistant in nature or not ( if not it requires a user to click a preformed XSS url ). And yes, persistant XSS can be used to root users if coupled
with the latest browser exploit ( and any admin behind the sites firewall / corporate infrastructure ). 
In the future may I suggest the folowing....

1. find your flaw
2. write an advisory
3. send it to the vendor
4. wait for response
5. wait for patches
6. disclose advisory formaly
7. stfu and find your next flaw

cheers,
mw





  //=====================>> Security Advisory <<=====================//

   

  ---------------------------------------------------------------------

  XSS vulnerabilities in Google.com

  ---------------------------------------------------------------------

   

  --[ Author: Yair Amit , Watchfire Corporation http://www.watchfire.com

  --[ Discovery Date: 15/11/2005

  --[ Initial Vendor Response: 15/11/2005

  --[ Issue solved: 01/12/2005

  --[ Website: www.google.com 

  --[ Severity: High

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051221/2347719a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ