[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9CA621425D6EAE4FBBD29326CC7D11063CF0F1@unity-svr.Unity.local>
Date: Thu Jul 6 14:12:45 2006
From: Ed at unityitservices.co.uk (Edward Pearson)
Subject: Re: [WEB SECURITY] Cross Site Scripting inGoogle
For those who didn't read earlier: This isn't a bug, it's a feature.
The URL specified is DESIGNED to redirect, e-mailing Google about it is
simply going to make you look stupid.
Ed
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Javor
Ninov
Sent: 06 July 2006 06:00
To: RSnake
Cc: full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org;
bugtraq@...urityfocus.com; webappsec@...urityfocus.com;
bugtraq@...security.net
Subject: Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting
inGoogle
RSnake wrote:
>
> Just for the record, I should clarify. Google was not notified of this
> exploit prior to full disclosure. As I said, they are notoriously slow
> (or completely delinquent) in fixing these issues historically. If you
> need proof click here to see four redirect issues disclosed nearly 6
> months ago that are still not fixed.
>
> http://seclists.org/lists/webappsec/2006/Jan-Mar/0066.html
>
> Here's another one:
>
> http://www.google.com/url?sa=D&q=http://www.fthe.net
>
> Typically I don't believe in full disclosure as a release methodology
> (for instance, if I found a remote vulnerability in Microsoft, I
> wouldn't disclose that without giving Microsoft months to release a
> patch as they have taken their patching process very seriously as of
> late and their responsibility in this matter has been far improved).
> Either Google was not convinced when they were used as a phishing
> relay last time, or they do not take this seriously. Either way, it
> takes all but a few days to patch these issues in a website, QA them
> and releast them, and Google has not done so, making contacting the
> vendor a useless excersize to date, in my opinion.
>
my opinion is that full disclosure is not for vendors .. it's for users.
full disclosure is for us to know how to react on certain threads. i
personally don't care about the vendors , although my company is a
vendor itself . we also produce software and we also care about security
of our software. but i expect users to post to security groups instead
of mailing me personally. If the vendor cares about his users he should
watch the security groups.
I believe in FULL disclosure
And i think this is the better way.
--
Javor Ninov aka DrFrancky
securitydot.net
> On Wed, 5 Jul 2006, bugtraq@...security.net wrote:
>
>> Did you even bother to email them and let them know? Being that
>> they're still vulnerable probably not....
>>
>> - z
>>
>>>
>>>
>>> Google is vulnerable to cross site scripting attacks. I found a
>>> function built off their add RSS feed function that returns HTML if
>>> a valid feed is found. It is intended as an AJAXy (dynamic
>>> JavaScript
>>> anyway) call from an inline function and the page is intended to do
>>> sanitation of the function. However, that's too late, and it
>>> returns the HTML as a query string, that is rendered, regardless of
>>> the fact that it is simply a JavaScript snippet.
>>>
>>> Here is the post that explains the whole thing:
>>>
>>> http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability
>>> -in-google/
>>>
>>>
>>>
>>> -RSnake
>>> http://ha.ckers.org/
>>> http://ha.ckers.org/xss.html
>>> http://ha.ckers.org/blog/feed/
>>>
>>> --------------------------------------------------------------------
>>> --------
>>>
>>> The Web Security Mailing List:
>>> http://www.webappsec.org/lists/websecurity/
>>>
>>> The Web Security Mailing List Archives:
>>> http://www.webappsec.org/lists/websecurity/archive/
>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> ----
>> Sponsored by: Watchfire
>>
>> Securing a web application goes far beyond testing the application
>> using manual processes, or by using automated systems and tools.
>> Watchfire's "Web Application Security: Automated Scanning or Manual
>> Penetration Testing?" whitepaper examines a few vulnerability
>> detection methods - specifically comparing and contrasting manual
>> penetration testing with automated scanning tools. Download it today!
>>
>> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008
>> Vmm
>> ---------------------------------------------------------------------
>> -----
>>
>>
>
>
> -R
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists