lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Nov 2010 23:55:10 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerability in Google AJAX Search

Hello Full-Disclosure!

I want to warn you about Cross-Site Scripting vulnerability in Google AJAX
Search.

In 2007 I already wrote about vulnerability in Google Custom Search Engine
(http://websecurity.com.ua/1050/) - CVE-2007-3484
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3484), and this is
new vulnerability related to Google Custom Search Engine, because AJAX
Search is one variant of CSE.

-------------------------
Affected products:
-------------------------

Potentially vulnerable are all sites and web applications which are using
Google AJAX Search. Particularly those ones which used AJAX Search before
25th of June, 2010, when Google agreed with me and changed documentation of
AJAX Search to prevent incorrect use of their application.

----------
Details:
----------

XSS (WASC-08):

http://site/search/?parameter=’;alert(document.cookie);//

This is DOM Based XSS.

For example, in IB Pro CMS (SecurityVulns ID: 11131), where Google AJAX
Search is using, the next request is used for attack:

http://site/search/?qs=’;alert(document.cookie);//

Besides system IB Promotion Advanced Business Web Suite (IB Pro CMS) and
sites on it, which contain this vulnerability in Google AJAX Search, such
vulnerability also took place in other web application. As I found in
September, Search Api Ajax Google (searchajaxgoogle) extension for TYPO3 CMS
is vulnerable for Cross-Site Scripting
(http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-003/).

------------
Timeline:
------------

2010.06.22 - announced at my site.
2010.06.23 - informed developers. First they tried to decline, but later
they agreed with me.
2010.06.25 - Google agreed with me and changed documentation of AJAX Search.
2010.11.10 - disclosed at my site.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/4309/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists