lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAO3sRvk6ZkjLrHTJZWj1fq1c_mD+YouVp1KqAYC-7-AV76DrxQ@mail.gmail.com>
Date: Tue, 3 Jan 2012 11:52:25 +0530
From: asish agarwalla <asishagarwalla@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Apigee Facebook API - Cross site scripting

Title:
-------
Apigee Facebook API - Cross site scripting


Vendor status:
---------------
[18.12.2011] Vulnerability discovered.
[19.12.2011] Contact with the vendor.
[26.12.2011] Vulnerability patched by vendor.


Introduction
----------------
Apigee is for a new internet of APIs - where billions of mobile, tablets,
and set-top apps connect in a web that has moved beyond the browser. Over
200 enterprises and thousands of developers use Apigee technology to make
their APIs better.

Apigee also provide  API to Connect facebook with the Graph API.

web page: http://apigee.com/
Facebook API console : https://apigee.com/console/facebook#


Abstract
-----------
Apigee facebook api do not validate or encode the facebook response.


Details:
--------
If attacker post any malicious script in victim wall/send message/write a
comment and victim visit that page through Apigee Api that malicious script
get executed. It not only affects the victim user but also affect all the
users who will visit that page using Apigee API.

Using this vulnerability attacker can steal user cookie and can preformed
all the action that user can performed using the Apigee API.

@Asish

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ