| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Feb 2011 15:23:00 -0300
From: Jardel Weyrich <jweyrich@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Google Chrome Browser] Google Mail Checker
Plus: JavaScript Code Execution
The XSS in Google Mail Checker Plus was reported in 06/2010. However, the
latest version is still vulnerable.
The PoC can be an email with a body like this:
Anything in this line, or nothing at all
<script>alert('you are vulnerable');</script>
I posted a notification on their support forum yesterday.
-jardel
On Sat, Feb 19, 2011 at 7:59 PM, ck <c.kernstock@...glemail.com> wrote:
> Well, at least "><script>alert(/XSS/)</script> works great:
>
> http://img6.imagebanana.com/img/4tyst18d/one.png
> http://img6.imagebanana.com/img/wh9zwmc6/two.png
>
> Thx to Friedrich Hausberger for his mail to FD :)
>
> ck
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists