OGMMM WTFF 0DAY XSS Sorry, getting a bit tired of these.
On 26 January 2013 02:50, ANTRAX <antrax...@gmail.com> wrote: > Gynvael Coldwind, I know this and I posted a reply in Underc0de about that. > > http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/ > > It isn't a critical bug but, despite that, this shouldn't happen.. > > Thanks all! > > --- > Best Regards > *ANTRAX* > > > > 2013/1/25 Gynvael Coldwind <gynv...@coldwind.pl> > >> Hey ANTRAX, >> >> JZ is correct, even in the template view the script is still executed >> only in the *.blogspot.com context, and not in the context of blogger.com- >> look at your first screenshot - it's clearly said there that the alert >> box popped up on *.blogspot.com. >> >> It's good to always alert(document.domain) to be sure of the context in >> which the script is executed. >> As you know, script executing in the context of the cookieless *. >> blogspot.com cannot interact / or steal cookies from blogger.com domain. >> >> So, to repeat what JZ already said - this is by design, it's not a bug, >> and no, you cannot attack an admin this way (unless you found some other >> way to execute that script in the context of blogger.com - in such case >> try reporting it again). >> >> Cheers, >> Gynvael Coldwind >> >> >> >> On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX <antrax...@gmail.com> wrote: >> >>> I know JZ, but this vulnerability is in the post and no in the template. >>> And this could be generated by blogger and affect to administrator! >>> The blogger can edit, but haven't admin. If the blogger post some >>> script, this affect to administrator. >>> >>> >>> >>> --- >>> Saludos Cordiales >>> *ANTRAX* >>> www.antrax-labs.org >>> >>> >>> 2013/1/21 Jakub Zoczek <zoc...@gmail.com> >>> >>>> Hi, >>>> >>>> *Execution of owner-supplied JavaScript on Blogger:* Blogger users are >>>> permitted to place custom JavaScript in their own blog templates and blog >>>> posts; our take on this is that blogs are user-generated content, not >>>> different from any third-party website on the Internet. Naturally, for your >>>> safety, we do employ spam and malware detection technologies - but we >>>> believe that the flexibility in managing your own content is essential to >>>> the success of our blogging platform. >>>> >>>> *Therefore, the ability to execute owner-supplied scripts on your own >>>> blog is not considered to be a vulnerability. That being said, the ability >>>> to inject arbitrary JavaScript onto somebody else’s blog would likely >>>> qualify for a reward! >>>> >>>> *Source <http://www.google.com/about/appsecurity/reward-program/>* >>>> * >>>> >>>> >>>> Peace, >>>> JZ >>>> >>>> >>>> On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX <antrax...@gmail.com> wrote: >>>> >>>>> Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org >>>>> Today, I going to shared with you about XSS in blogger. This is a very >>>>> simple, but isn´t fix yet.. >>>>> This bug could be exploited by bloggers without administrator >>>>> permissons. >>>>> >>>>> Steps to reproduce the XSS: >>>>> >>>>> 1.- Create a new post in the blog and insert some script >>>>> >>>>> [image: Imágenes integradas 1] >>>>> >>>>> 2.- When the administrator enter in the administration panel in >>>>> "templates" section, blogger automatically executed the script, because >>>>> blogger have a mini-preview in "Ahora en el blog", then execute the script >>>>> >>>>> [image: Imágenes integradas 2] >>>>> >>>>> 3.- Ready! the script has been executed! >>>>> >>>>> [image: Imágenes integradas 3] >>>>> >>>>> Also, you can steal cookies! >>>>> >>>>> [image: Imágenes integradas 4] >>>>> >>>>> I reported to google about it, but they not fixed yet. >>>>> >>>>> Kind regards partners! >>>>> >>>>> *ANTRAX* >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> >> -- >> gynvael.coldwind//vx >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/