Full Disclosure: Re: XSS vulnerabilities in Google.com

["GroundZero Security" <fd () g-0 org>]

i did not bash the other guy, i was just asking a question.
as for you, yes you deserve to be bashed as you are a moron.
you have no idea of security and you think with your geocities and
google groups you look serious. grow up. get a few bucks and get a real domain.
you better shut the fuck up. if you keep beeing an idiot, people will always
take the piss out of you. by now you should have realized, but you simply ignore the tons of
complains about you. funny that you still think you know whats going on.
your really pathetic..

----- Original Message ----- 
From: "n3td3v" <xploitable () gmail com>
To: "GroundZero Security" <fd () g-0 org>; <full-disclosure () lists grok org uk>
Sent: Wednesday, December 21, 2005 3:00 PM
Subject: Re: [Full-disclosure] XSS vulnerabilities in Google.com


> You couldn't help but bash other peoples Google and Yahoo
> vulnerabilities. When you find your own, come back and bash other
> people. Until then, sit down, and learn from other peoples work.
>
> XSS will always remain part of the Full-Disclosure list if little
> "GroundZero Security" like it or not!
>
> /sarc on
> I hope you enjoy your continued rants about other peoples work, you'll
> go far in your career. /sarc off
>
> On 12/21/05, GroundZero Security <fd () g-0 org> wrote:
> > are we starting to post vulnerabilities in specific websites now rather than
> > daemons/clients etc. ?
> > i mean there are thousands of websites which are vulnerable to xss,sql
> > injection or worse because of their
> > custom scripts. in my opinion this should be posted to the website owners if
> > you feel like, but its of no real use
> > to the security community. hm another thing i'm wondering about is, is it
> > legal to just audit a website without
> > asking the owner if its ok ? how will he know its not a real attack? ok as
> > for xss there cant be much harm done
> > to the server itself, but what if, for example, you cause a DoS through
> > testing certain variables for overflows ?
> >
> >
> > ----- Original Message -----
> > From: Watchfire Research
> > To: full-disclosure () lists grok org uk
> > Sent: Wednesday, December 21, 2005 1:58 PM
> > Subject: [Full-disclosure] XSS vulnerabilities in Google.com
> >
> >
> >
> > //=====================>> Security Advisory <<=====================//
> >
> >
> >
> > ---------------------------------------------------------------------
> >
> > XSS vulnerabilities in Google.com
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> > --[ Author: Yair Amit , Watchfire Corporation http://www.watchfire.com
> >
> > --[ Discovery Date: 15/11/2005
> >
> > --[ Initial Vendor Response: 15/11/2005
> >
> > --[ Issue solved: 01/12/2005
> >
> > --[ Website: www.google.com
> >
> > --[ Severity: High
> >
> >
> >
> > --[ Summary
> >
> >
> >
> > Two XSS vulnerabilities were identified in the Google.com website,
> >
> > which allow an attacker to impersonate legitimate members of Google's
> >
> > services or to mount a phishing attack.
> >
> > Although Google uses common XSS countermeasures, a successful attack
> >
> > is possible, when using UTF-7 encoded payloads.
> >
> >
> >
> > --[ Background
> >
> >
> >
> > Google's URL redirection script
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> > The script (http://www.google.com/url?q=...) is normally used for
> >
> > redirecting the browser from Google's website to other sites.
> >
> >
> >
> > For example, the following request will redirect the browser
> >
> > to http://www.watchfire.com :
> >
> >       -
> > http://www.google.com/url?q=http://www.watchfire.com
> >
> >
> >
> > When the parameter (q) is passed to the script with illegal format
> >
> > (The format seems to be: http://domain), a "403 Forbidden" page
> >
> > returns to the user, informing that the query was illegal.
> >
> > The parameter's value appears in the html returned to the user.
> >
> >
> >
> > If http://www.google.com/url?q=USER_INPUT is requested, the
> > text in
> >
> > the "403 Forbidden" response would be:
> >
> >       - "Your client does not have permission to get URL
> >
> >       /url?q=USER_INPUT from this server."
> >
> >
> >
> > The server response lacks charset encoding enforcement, such as:
> >
> > * Response headers: "Content-Type: text/html; charset=[encoding]".
> >
> > * Response body: "<meta http-equiv="Content-Type" (...)
> > charset=[encoding]/>".
> >
> >
> >
> > Google's 404 NOT FOUND mechanism
> >
> > ---------------------------------------------------------------------
> >
> >
> >
> > When requesting a page which doesn't exist under www.google.com, a
> >
> > 404 NOT FOUND response is returned to the user, with the original
> >
> > path requested.
> >
> >
> >
> > If http://www.google.com/NOTFOUND is requested, the following text
> >
> > appears in the response:
> >
> > "Not Found
> >
> > The requested URL /NOTFOUND was not found on this server."
> >
> >
> >
> > The server response lacks charset encoding enforcement, such as:
> >
> > * Response headers: "Content-Type: text/html; charset=[encoding]".
> >
> > * Response body: "<meta http-equiv="Content-Type" (...)
> > charset=[encoding]/>".
> >
> >
> >
> > --[ XSS vulnerabilities
> >
> >
> >
> > While the aforementioned mechanisms (URL redirection script,
> >
> > 404 NOT FOUND) escape common characters used for XSS, such as <>
> >
> > (triangular parenthesis) and apostrophes, it fails to handle
> >
> > hazardous UTF-7 encoded payloads.
> >
> >
> >
> > Therefore, when sending an XSS attack payload, encoded in UTF-7, the
> >
> > payload will return in the response without being altered.
> >
> >
> >
> > For the attack to succeed (script execution), the victims browser
> >
> > should treat the XSS payload as UTF-7.
> >
> >
> >
> > --[ IE charset encoding Auto-Selection
> >
> >
> >
> > If 'Encoding' is set to 'Auto-Select', and Internet-Explorer finds a
> >
> > UTF-7 string in the first 4096 characters of the response's body,
> >
> > it will set the charset encoding to UTF-7 automatically, unless a
> >
> > certain charset encoding is already enforced.
> >
> >
> >
> > This automatic encoding selection feature makes it possible to mount
> >
> > UTF-7 XSS attacks on Google.com.
> >
> >
> >
> > --[ Solution
> >
> >
> >
> > Google solved the aforementioned issues at 01/12/2005, by using
> >
> > character encoding enforcement.
> >
> >
> >
> > --[ Acknowledgement
> >
> >
> >
> > The author would like to commend the Google Security Team for their
> >
> > cooperation and communication regarding this vulnerability.
> >
> >
> >
> >
> >
> > ________________________________
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/