Full Disclosure: Re: www.google.com xss vulnerability Using mhtml

Re: www.google.com xss vulnerability Using mhtml

From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 26 Jan 2011 11:21:05 +0100

Football field? More like dodgeball !!!

On Wed, Jan 26, 2011 at 10:33 AM, IEhrepus <5up3rh3i () gmail com> wrote:

Long, long time ago, we heard an interesting legend is www.google.com
will Pay for its vulnerability,so we want to try ...

lucky,A vulnerability has been caught by my friend
PZ[http://hi.baidu.com/p__z], this vul is base on 《Hacking with mhtml
protocol handler》[
http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
]:

mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx

we are very happy,so we post it to security () google com for the legend
:)[2011/01/23].We got a reply soon [2011/01/24]:

---------------------------------------------------
Hi Pavel,

Nice catch! I’ve filed a bug internally and will keep you in the loop
as things progress.

Regards,
xxx- Google Security Team
--------------------------------------------------

but .....

-------------------------------------------------
Hi Pavel,

The panel has determined this doesn't qualify for a reward for 2 reasons:

1) A very close variant was publicly disclosed on 21 Jan:
http://www.wooyun.org/bugs/wooyun-2010-01199
2) Technically, it's not a bug in Google, it's really a big in IE.

Cheers,
xxx, Google Security Team
-----------------------------------------------

and Today we test the vul again ,it has been fixed .[2011/01/26]

Thus, we understand the unspoken rules of this, This is a football
game, the vulnerability is the ball , MS and GG are the players


----by superhei from http://www.80vul.com




hitest

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

www.google.com xss vulnerability Using mhtml IEhrepus (Jan 26)
- Re: www.google.com xss vulnerability Using mhtml Christian Sciberras (Jan 26)
- <Possible follow-ups>
- Re: www.google.com xss vulnerability Using mhtml Yigit Turgut (Jan 26)
  - Re: www.google.com xss vulnerability Using mhtml Michal Zalewski (Jan 26)
    - Re: www.google.com xss vulnerability Using mhtml IEhrepus (Jan 27)
    - Re: www.google.com xss vulnerability Using mhtml Michal Zalewski (Jan 27)
    - Re: www.google.com xss vulnerability Using mhtml Valdis . Kletnieks (Jan 27)
    - Re: www.google.com xss vulnerability Using mhtml IEhrepus (Jan 27)
    - Re: www.google.com xss vulnerability Using mhtml laurent gaffie (Jan 27)
    - Re: www.google.com xss vulnerability Using mhtml Michal Zalewski (Jan 28)
    - Re: www.google.com xss vulnerability Using mhtml IEhrepus (Jan 29)
- Re: www.google.com xss vulnerability Using mhtml Juha-Matti Laurio (Jan 30)