Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [0 Day] XSS Persistent in Blogspot of Google
From: ANTRAX <antrax.bt () gmail com>
Date: Fri, 25 Jan 2013 12:50:56 -0300

Gynvael Coldwind, I know this and I posted a reply in Underc0de about that.


It isn't a critical bug but, despite that, this shouldn't happen..

Thanks all!

Best Regards

2013/1/25 Gynvael Coldwind <gynvael () coldwind pl>


JZ is correct, even in the template view the script is still executed only
in the *.blogspot.com context, and not in the context of blogger.com -
look at your first screenshot - it's clearly said there that the alert box
popped up on *.blogspot.com.

It's good to always alert(document.domain) to be sure of the context in
which the script is executed.
As you know, script executing in the context of the cookieless *.
blogspot.com cannot interact / or steal cookies from blogger.com domain.

So, to repeat what JZ already said - this is by design, it's not a bug,
and no, you cannot attack an admin this way (unless you found some other
way to execute that script in the context of blogger.com - in such case
try reporting it again).

Gynvael Coldwind

On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX <antrax.bt () gmail com> wrote:

I know JZ, but this vulnerability is in the post and no in the template.
And this could be generated by blogger and affect to administrator!
The blogger can edit, but haven't admin. If the blogger post some script,
this affect to administrator.

Saludos Cordiales

2013/1/21 Jakub Zoczek <zoczus () gmail com>


*Execution of owner-supplied JavaScript on Blogger:* Blogger users are
permitted to place custom JavaScript in their own blog templates and blog
posts; our take on this is that blogs are user-generated content, not
different from any third-party website on the Internet. Naturally, for your
safety, we do employ spam and malware detection technologies - but we
believe that the flexibility in managing your own content is essential to
the success of our blogging platform.

*Therefore, the ability to execute owner-supplied scripts on your own
blog is not considered to be a vulnerability. That being said, the ability
to inject arbitrary JavaScript onto somebody else’s blog would likely
qualify for a reward!

*Source <http://www.google.com/about/appsecurity/reward-program/>*


On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX <antrax.bt () gmail com> wrote:

Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org
Today, I going to shared with you about XSS in blogger. This is a very
simple, but isn´t fix yet..
This bug could be exploited by bloggers without administrator

Steps to reproduce the XSS:

1.- Create a new post in the blog and insert some script

[image: Imágenes integradas 1]

2.- When the administrator enter in the administration panel in
"templates" section, blogger automatically executed the script, because
blogger have a mini-preview in "Ahora en el blog", then execute the script

[image: Imágenes integradas 2]

3.- Ready! the script has been executed!

[image: Imágenes integradas 3]

Also, you can steal cookies!

[image: Imágenes integradas 4]

I reported to google about it, but they not fixed yet.

Kind regards partners!


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]