Google AdSense invite-friend multiple field XSS

Sunday, May 01, 2005
####################################################
Google AdSense invite-fiend multiple field XSS
vendor url:https://www.google.com/adsense/
advisore: http://lostmon.blogspot.com/2005/05/
google-adsense-invite-friend-multiple.html
vendor notify : yes exploit available:yes
#####################################################

Google AdSense is a fast and easy way for website publishers of all
sizes to display relevant Google ads on their website's content
pages and earn money

Google AdSense contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly ' Your friend's name',' Your name' ,'Your
email address' and 'Add a personal message' fields upon
submission to the 'previewInvitation()' Function in '/adsense/invite-friend'
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading to a
loss of integrity.

#############
tieline:
#############
discovered: 1 may 2005
vendor notified: 2 may 2005
vendor response: 2 may 2005 ( autoresponder)
vendor response:
fix: not fixed !!!!
disclosure: 5 may 2005

###################
software used
##################

windows 2000 sp4 all fixes
ie 6.0 all fixes
google toolbar 2.0.114.9 big/es
Netcraft toolbar 1.4.1

#################
proof of concept:
#################

Image Example

Go to this address https://www.google.com/adsense/invite-friend
ans insert in fields listed for example:
"><iframe src=http://www.google.com><iframe>
and click in 'preview invite text' link , the iframe is executed
in the texarea on show a preview of the invite with this we can
exploit ' Your friend's name',' Your name' ,'Your email address'
and 'Add a personal message' form fields.

WARNING !!! IF WE LOOK WE ARE IN HTTPS PROTOCOL !!!!!!

(Yet another) Google Cross Site Scripting

############### End ####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...