lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060705124933.37754.qmail@cgisecurity.net>
Date: Wed Jul  5 15:10:33 2006
From: bugtraq at cgisecurity.net (bugtraq@...security.net)
Subject: Re: [WEB SECURITY] Cross Site Scripting in Google

Did you even bother to email them and let them know? Being that they're still vulnerable probably not....

- z

> 
> 
> Google is vulnerable to cross site scripting attacks.  I found a
> function built off their add RSS feed function that returns HTML if a
> valid feed is found.  It is intended as an AJAXy (dynamic JavaScript
> anyway) call from an inline function and the page is intended to do
> sanitation of the function.  However, that's too late, and it returns
> the HTML as a query string, that is rendered, regardless of the fact
> that it is simply a JavaScript snippet.
> 
> Here is the post that explains the whole thing:
> 
> http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
> 
> 
> -RSnake
> http://ha.ckers.org/
> http://ha.ckers.org/xss.html
> http://ha.ckers.org/blog/feed/
> 
> ----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ