| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <26563eca0604301834u392dacbcw74ca714caec7ad06@mail.gmail.com> Date: Mon May 1 02:34:41 2006 From: dbounds at gmail.com (Darren Bounds) Subject: GMail, Google Groups XSS vulnerability addressed FYI: GMail and Google Groups have both mitigated this vulnerability with two entirely different techniques: GMail - HTML attachments are renamed at download; replacing the period with an underscore. (e.g: file.html would become file_html). Google Groups - HTML attachments are zipped at download. -- Thank you, Darren Bounds On 4/11/06, Darren Bounds <dbounds@...il.com> wrote: > GMail, Google Groups XSS Vulnerability > April 11, 2006 > > GMail and Google Groups are vulnerable to an cross site scripting > (XSS) attack due to their reliance on Content-Disposition to provide > separation between the HTML file download and application scopes. The > result is the ability for an attacker to send / post a malicious HTML > file attachments which, when read using Internet Explorer, will > execute within the scope of the Google application allowing the theft > of sensitive user content. > > A PoC is available on Google Groups at the following URL: > > http://groups.google.com/group/Content-Disposition/browse_thread/thread/925106682eb32b2b > > This vulnerability is directly related to my posting earlier this week > entitled "Microsoft Internet Explorer Content-Disposition HTML File > Handling Flaw" which can be found at the following URL: > > http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/044991.html > > Google has been notified. > > > -- > > Thank you, > Darren Bounds >
Powered by blists - more mailing lists