#####################################################
Google custom search engine contributors invite XSS
Vendor url: http://www.google.com
Product Url: http://www.google.com/coop/cse/
Advisore url:http://lostmon.blogspot.com/2007/08/
google-custom-search-engine.html
Vendor notify :yes vendor confirmed: yes Fixed: YES
#####################################################
Description:
A Custom Search Engine is a tailored search experience,
built using Google's core search technology, which
prioritizes or restricts search results based on websites
and pages that you specify, and which can be tailored to
reflect your point of view or area of expertise.
Google Custom search Engine have a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate The texarea in the wen preview
a invite.This could allow a user to create a specially
invite that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
################
timeline
###############
discovered: 31-07-2007
vendor notifY 31-07-2007
vendor response:31-07-2007
vendor fix:07-08-2007 (i test it today)
disclosure:07-08-2007
####################
explanation
###################
Go to
http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine]
and in 'Add a personal note to the invitation' write some javascript
or html code and them click on 'invite preview'
this code is execute...
Also the form convert to hexa with semicoloms to html :
it works transform to html code , but it does not execute it :)
we can try to convert it in decimal values and it show too the
html without execute it.
Only works with 'simple' html
######################### €nd ########################
Thnx To estrella To be my ligth
Thnx to all Lostmon Team !!
-
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)