lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTinF+XiCfVrw86cm-m0uHW_o0xzK1XfHFwTNR1PF@mail.gmail.com> Date: Wed, 26 Jan 2011 01:33:16 -0800 From: IEhrepus <5up3rh3i@...il.com> To: full-disclosure@...ts.grok.org.uk Cc: sird@...c.at Subject: www.google.com xss vulnerability Using mhtml Long, long time ago, we heard an interesting legend is www.google.com will Pay for its vulnerability,so we want to try ... lucky,A vulnerability has been caught by my friend PZ[http://hi.baidu.com/p__z], this vul is base on 《Hacking with mhtml protocol handler》[http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt]: mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx we are very happy,so we post it to security@...gle.com for the legend :)[2011/01/23].We got a reply soon [2011/01/24]: --------------------------------------------------- Hi Pavel, Nice catch! I’ve filed a bug internally and will keep you in the loop as things progress. Regards, xxx- Google Security Team -------------------------------------------------- but ..... ------------------------------------------------- Hi Pavel, The panel has determined this doesn't qualify for a reward for 2 reasons: 1) A very close variant was publicly disclosed on 21 Jan: http://www.wooyun.org/bugs/wooyun-2010-01199 2) Technically, it's not a bug in Google, it's really a big in IE. Cheers, xxx, Google Security Team ----------------------------------------------- and Today we test the vul again ,it has been fixed .[2011/01/26] Thus, we understand the unspoken rules of this, This is a football game, the vulnerability is the ball , MS and GG are the players ----by superhei from http://www.80vul.com hitest _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists