Hey ANTRAX, JZ is correct, even in the template view the script is still executed only in the *.blogspot.com context, and not in the context of blogger.com - look at your first screenshot - it's clearly said there that the alert box popped up on *.blogspot.com.
It's good to always alert(document.domain) to be sure of the context in which the script is executed. As you know, script executing in the context of the cookieless *. blogspot.com cannot interact / or steal cookies from blogger.com domain. So, to repeat what JZ already said - this is by design, it's not a bug, and no, you cannot attack an admin this way (unless you found some other way to execute that script in the context of blogger.com - in such case try reporting it again). Cheers, Gynvael Coldwind On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX <[email protected]> wrote: > I know JZ, but this vulnerability is in the post and no in the template. > And this could be generated by blogger and affect to administrator! > The blogger can edit, but haven't admin. If the blogger post some script, > this affect to administrator. > > > --- > Saludos Cordiales > *ANTRAX* > www.antrax-labs.org > > > 2013/1/21 Jakub Zoczek <[email protected]> > >> Hi, >> >> *Execution of owner-supplied JavaScript on Blogger:* Blogger users are >> permitted to place custom JavaScript in their own blog templates and blog >> posts; our take on this is that blogs are user-generated content, not >> different from any third-party website on the Internet. Naturally, for your >> safety, we do employ spam and malware detection technologies - but we >> believe that the flexibility in managing your own content is essential to >> the success of our blogging platform. >> >> *Therefore, the ability to execute owner-supplied scripts on your own >> blog is not considered to be a vulnerability. That being said, the ability >> to inject arbitrary JavaScript onto somebody else’s blog would likely >> qualify for a reward! >> >> *Source <http://www.google.com/about/appsecurity/reward-program/>* >> * >> >> >> Peace, >> JZ >> >> >> On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX <[email protected]> wrote: >> >>> Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org >>> Today, I going to shared with you about XSS in blogger. This is a very >>> simple, but isn´t fix yet.. >>> This bug could be exploited by bloggers without administrator permissons >>> . >>> >>> Steps to reproduce the XSS: >>> >>> 1.- Create a new post in the blog and insert some script >>> >>> [image: Imágenes integradas 1] >>> >>> 2.- When the administrator enter in the administration panel in >>> "templates" section, blogger automatically executed the script, because >>> blogger have a mini-preview in "Ahora en el blog", then execute the script >>> >>> [image: Imágenes integradas 2] >>> >>> 3.- Ready! the script has been executed! >>> >>> [image: Imágenes integradas 3] >>> >>> Also, you can steal cookies! >>> >>> [image: Imágenes integradas 4] >>> >>> I reported to google about it, but they not fixed yet. >>> >>> Kind regards partners! >>> >>> *ANTRAX* >>> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- gynvael.coldwind//vx
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
