[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44AC98C1.3050609@securax.org>
Date: Thu Jul 6 05:59:57 2006
From: drfrancky at securax.org (Javor Ninov)
Subject: Re: [WEB SECURITY] Cross Site Scripting in
Google
RSnake wrote:
>
> Just for the record, I should clarify. Google was not notified of this
> exploit prior to full disclosure. As I said, they are notoriously slow
> (or completely delinquent) in fixing these issues historically. If you
> need proof click here to see four redirect issues disclosed nearly 6
> months ago that are still not fixed.
>
> http://seclists.org/lists/webappsec/2006/Jan-Mar/0066.html
>
> Here's another one:
>
> http://www.google.com/url?sa=D&q=http://www.fthe.net
>
> Typically I don't believe in full disclosure as a release methodology
> (for instance, if I found a remote vulnerability in Microsoft, I
> wouldn't disclose that without giving Microsoft months to release a
> patch as they have taken their patching process very seriously as of
> late and their responsibility in this matter has been far improved).
> Either Google was not convinced when they were used as a phishing relay
> last time, or they do not take this seriously. Either way, it takes all
> but a few days to patch these issues in a website, QA them and releast
> them, and Google has not done so, making contacting the vendor a useless
> excersize to date, in my opinion.
>
my opinion is that full disclosure is not for vendors .. it's for users.
full disclosure is for us to know how to react on certain threads. i
personally don't care about the vendors , although my company is a
vendor itself . we also produce software and we also care about security
of our software. but i expect users to post to security groups instead
of mailing me personally. If the vendor cares about his users he should
watch the security groups.
I believe in FULL disclosure
And i think this is the better way.
--
Javor Ninov aka DrFrancky
securitydot.net
> On Wed, 5 Jul 2006, bugtraq@...security.net wrote:
>
>> Did you even bother to email them and let them know? Being that
>> they're still vulnerable probably not....
>>
>> - z
>>
>>>
>>>
>>> Google is vulnerable to cross site scripting attacks. I found a
>>> function built off their add RSS feed function that returns HTML if a
>>> valid feed is found. It is intended as an AJAXy (dynamic JavaScript
>>> anyway) call from an inline function and the page is intended to do
>>> sanitation of the function. However, that's too late, and it returns
>>> the HTML as a query string, that is rendered, regardless of the fact
>>> that it is simply a JavaScript snippet.
>>>
>>> Here is the post that explains the whole thing:
>>>
>>> http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
>>>
>>>
>>>
>>> -RSnake
>>> http://ha.ckers.org/
>>> http://ha.ckers.org/xss.html
>>> http://ha.ckers.org/blog/feed/
>>>
>>> ----------------------------------------------------------------------------
>>>
>>> The Web Security Mailing List:
>>> http://www.webappsec.org/lists/websecurity/
>>>
>>> The Web Security Mailing List Archives:
>>> http://www.webappsec.org/lists/websecurity/archive/
>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>
>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>>
>> Securing a web application goes far beyond testing the application using
>> manual processes, or by using automated systems and tools. Watchfire's
>> "Web Application Security: Automated Scanning or Manual Penetration
>> Testing?" whitepaper examines a few vulnerability detection methods -
>> specifically comparing and contrasting manual penetration testing with
>> automated scanning tools. Download it today!
>>
>> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
>> --------------------------------------------------------------------------
>>
>>
>
>
> -R
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060706/51fa2b7c/signature.bin
Powered by blists - more mailing lists