| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Jan 2013 10:56:21 +1100
From: Elfius <elfius@...il.com>
To: ANTRAX <antrax.bt@...il.com>
Cc: Hispabyte HQH <fdkaos2000@...oo.es>, vuln@...unia.com,
submissions@...ketstormsecurity.com, submit@...ecurity.com,
full-disclosure@...ts.grok.org.uk, mr.inj3ct0r@...il.com,
vuldb@...urityfocus.com, el-brujo@...acker.net
Subject: Re: [0 Day] XSS Persistent in Blogspot of Google
OGMMM WTFF 0DAY XSS
Sorry, getting a bit tired of these.
On 26 January 2013 02:50, ANTRAX <antrax.bt@...il.com> wrote:
> Gynvael Coldwind, I know this and I posted a reply in Underc0de about that.
>
> http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/
>
> It isn't a critical bug but, despite that, this shouldn't happen..
>
> Thanks all!
>
> ---
> Best Regards
> *ANTRAX*
>
>
>
> 2013/1/25 Gynvael Coldwind <gynvael@...dwind.pl>
>
>> Hey ANTRAX,
>>
>> JZ is correct, even in the template view the script is still executed
>> only in the *.blogspot.com context, and not in the context of blogger.com- look at your first screenshot - it's clearly said there that the alert
>> box popped up on *.blogspot.com.
>>
>> It's good to always alert(document.domain) to be sure of the context in
>> which the script is executed.
>> As you know, script executing in the context of the cookieless *.
>> blogspot.com cannot interact / or steal cookies from blogger.com domain.
>>
>> So, to repeat what JZ already said - this is by design, it's not a bug,
>> and no, you cannot attack an admin this way (unless you found some other
>> way to execute that script in the context of blogger.com - in such case
>> try reporting it again).
>>
>> Cheers,
>> Gynvael Coldwind
>>
>>
>>
>> On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX <antrax.bt@...il.com> wrote:
>>
>>> I know JZ, but this vulnerability is in the post and no in the template.
>>> And this could be generated by blogger and affect to administrator!
>>> The blogger can edit, but haven't admin. If the blogger post some
>>> script, this affect to administrator.
>>>
>>>
>>>
>>> ---
>>> Saludos Cordiales
>>> *ANTRAX*
>>> www.antrax-labs.org
>>>
>>>
>>> 2013/1/21 Jakub Zoczek <zoczus@...il.com>
>>>
>>>> Hi,
>>>>
>>>> *Execution of owner-supplied JavaScript on Blogger:* Blogger users are
>>>> permitted to place custom JavaScript in their own blog templates and blog
>>>> posts; our take on this is that blogs are user-generated content, not
>>>> different from any third-party website on the Internet. Naturally, for your
>>>> safety, we do employ spam and malware detection technologies - but we
>>>> believe that the flexibility in managing your own content is essential to
>>>> the success of our blogging platform.
>>>>
>>>> *Therefore, the ability to execute owner-supplied scripts on your own
>>>> blog is not considered to be a vulnerability. That being said, the ability
>>>> to inject arbitrary JavaScript onto somebody else’s blog would likely
>>>> qualify for a reward!
>>>>
>>>> *Source <http://www.google.com/about/appsecurity/reward-program/>*
>>>> *
>>>>
>>>>
>>>> Peace,
>>>> JZ
>>>>
>>>>
>>>> On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX <antrax.bt@...il.com> wrote:
>>>>
>>>>> Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org
>>>>> Today, I going to shared with you about XSS in blogger. This is a very
>>>>> simple, but isn´t fix yet..
>>>>> This bug could be exploited by bloggers without administrator
>>>>> permissons.
>>>>>
>>>>> Steps to reproduce the XSS:
>>>>>
>>>>> 1.- Create a new post in the blog and insert some script
>>>>>
>>>>> [image: Imágenes integradas 1]
>>>>>
>>>>> 2.- When the administrator enter in the administration panel in
>>>>> "templates" section, blogger automatically executed the script, because
>>>>> blogger have a mini-preview in "Ahora en el blog", then execute the script
>>>>>
>>>>> [image: Imágenes integradas 2]
>>>>>
>>>>> 3.- Ready! the script has been executed!
>>>>>
>>>>> [image: Imágenes integradas 3]
>>>>>
>>>>> Also, you can steal cookies!
>>>>>
>>>>> [image: Imágenes integradas 4]
>>>>>
>>>>> I reported to google about it, but they not fixed yet.
>>>>>
>>>>> Kind regards partners!
>>>>>
>>>>> *ANTRAX*
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> --
>> gynvael.coldwind//vx
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists