lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00d601cc86c6$6412c4e0$9b7a6fd5@ml>
Date: Sun, 9 Oct 2011 23:57:49 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Google Arbitrary URL Redirect Vulnerability

Hello YGN Ethical Hacker Group!

Few notes concerning your advisory Google: Malware URL Redirection (Google Arbitrary URL Redirect Vulnerability) (http://bl0g.yehg.net/2011/08/google-malware-url-redirection-google.html).

In 2008 (23.01.2008) I've already wrote about 11 redirectors of Google (http://websecurity.com.ua/1766/) - after I wrote about multiple Google's redirectors in 2007 in my Month of Search Engines Bugs project. Some of them repeat previously disclosed redirectors, but most are new ones (which I've found in 2007). After that time Google fixed most of them, except two ones (and of course, like it often take place with Google, they fixed them hiddenly without thanking people, who bring their and everyone attention to vulnerabilities at Google's sites).

Among those redirectors, which I've disclosed in 2008, two are still working (one works automatically and one requires hash, which can be easily bypassed, as you wrote in your advisory in details). One of them, which requires hash, it's exactly the same redirector, which you wrote about in your advisory.

Another one, which still works and automatically (without hashes):

http://www.google.com/search?q=websecurity.com.ua&btnI=websecurity.com.ua

So Google made some work to fix redirectors (URL Redirector Abuse) at their sites. But there are places for improvements ;-) (and they need to handle with these two redirectors).

For Google (if they are not sure to fix them or not) and for those who are interested in this class of vulnerabilities I'm recommending to read corresponding articles:

URL Redirector Abuse (WASC-38) in WASC 2.0
http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse

Redirectors: the phantom menace
http://websecurity.com.ua/3495/

Attacks via closed redirectors
http://websecurity.com.ua/3531/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ