Home page logo

fulldisclosure logo Full Disclosure mailing list archives

GMail, Google Groups XSS vulnerability addressed
From: "Darren Bounds" <dbounds () gmail com>
Date: Sun, 30 Apr 2006 21:34:33 -0400

FYI: GMail and Google Groups have both mitigated this vulnerability
with two entirely different techniques:

GMail - HTML attachments are renamed at download; replacing the period
with an underscore. (e.g: file.html would become file_html).

Google Groups - HTML attachments are zipped at download.


Thank you,
Darren Bounds

On 4/11/06, Darren Bounds <dbounds () gmail com> wrote:
GMail, Google Groups XSS Vulnerability
April 11, 2006

GMail and Google Groups are vulnerable to an cross site scripting
(XSS) attack due to their reliance on Content-Disposition to provide
separation between the HTML file download and application scopes. The
result is the ability for an attacker to send / post a malicious HTML
file attachments which,  when read using Internet Explorer, will
execute within the scope of the Google application allowing the theft
of sensitive user content.

A PoC is available on Google Groups at the following URL:


This vulnerability is directly related to my posting earlier this week
entitled "Microsoft Internet Explorer Content-Disposition HTML File
Handling Flaw" which can be found at the following URL:


Google has been notified.


Thank you,
Darren Bounds

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • GMail, Google Groups XSS vulnerability addressed Darren Bounds (May 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]