Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
Hello, Agree with Michal. It is very interesting to get to know know new complex xss vulnerabilities. IMAHO, the issue here is claiming to have found a vulnerability without providing a PoC of how to use it to violate a security policy of the targeted service, probably because there are none, and therefore it's not a vulnerability but a feature. Regards, Guifre. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
Agree with Michal, at the end you achieve code execution with an XSS as well, it's just in the DOM. Depending on the attack surface, browser type and so on, this can be devastating. I bet you remember the XSS on Amazon EC2 web interface, which combined with XSRF lead to stealing x.509 certificates and so on :D Cheers antisnatchor Michal ZalewskiJanuary 27, 2013 7:17 PM OGMMM WTFF 0DAY XSSSorry, getting a bit tired of these.Well, the world is changing. You can probably do a lot more direct damage with a (legit) XSS in a high-value site than with a local privilege escalation in sudo. XSS reports are less actionable for the average reader, but full disclosure is probably still beneficial, in that it provides data points about the types of flaws a particular vendor happens to have, and the speed and quality of the deployed fixes. Of course, many of the XSS reports in knorr.com and similarly exciting destinations are zz.../mz ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ElfiusJanuary 25, 2013 11:56 PM OGMMM WTFF 0DAY XSSSorry, getting a bit tired of these. ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ANTRAXJanuary 25, 2013 3:50 PM Gynvael Coldwind, I know this and I posted a reply in Underc0de about that.http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/ It isn't a critical bug but, despite that, this shouldn't happen..Thanks all!---Best RegardsANTRAX ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ Gynvael ColdwindJanuary 25, 2013 1:24 PM Hey ANTRAX,JZ is correct, even in the template view the script is still executed only in the *.blogspot.com context, and not in the context of blogger.com - look at your first screenshot - it's clearly said there that the alert box popped up on *.blogspot.com. It's good to always alert(document.domain) to be sure of the context in which the script is executed.As you know, script executing in the context of the cookieless *.blogspot.com cannot interact / or steal cookies from blogger.com domain. So, to repeat what JZ already said - this is by design, it's not a bug, and no, you cannot attack an admin this way (unless you found some other way to execute that script in the context of blogger.com - in such case try reporting it again). Cheers,Gynvael Coldwind-- gynvael.coldwind//vx ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ANTRAXJanuary 22, 2013 12:11 AM I know JZ, but this vulnerability is in the post and no in the template.And this could be generated by blogger and affect to administrator!The blogger can edit, but haven't admin. If the blogger post some script, this affect to administrator. ---Saludos CordialesANTRAXwww.antrax-labs.org ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
OGMMM WTFF 0DAY XSS Sorry, getting a bit tired of these. Well, the world is changing. You can probably do a lot more direct damage with a (legit) XSS in a high-value site than with a local privilege escalation in sudo. XSS reports are less actionable for the average reader, but full disclosure is probably still beneficial, in that it provides data points about the types of flaws a particular vendor happens to have, and the speed and quality of the deployed fixes. Of course, many of the XSS reports in knorr.com and similarly exciting destinations are zz... /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
OGMMM WTFF 0DAY XSS Sorry, getting a bit tired of these. On 26 January 2013 02:50, ANTRAX antrax...@gmail.com wrote: Gynvael Coldwind, I know this and I posted a reply in Underc0de about that. http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/ It isn't a critical bug but, despite that, this shouldn't happen.. Thanks all! --- Best Regards *ANTRAX* 2013/1/25 Gynvael Coldwind gynv...@coldwind.pl Hey ANTRAX, JZ is correct, even in the template view the script is still executed only in the *.blogspot.com context, and not in the context of blogger.com- look at your first screenshot - it's clearly said there that the alert box popped up on *.blogspot.com. It's good to always alert(document.domain) to be sure of the context in which the script is executed. As you know, script executing in the context of the cookieless *. blogspot.com cannot interact / or steal cookies from blogger.com domain. So, to repeat what JZ already said - this is by design, it's not a bug, and no, you cannot attack an admin this way (unless you found some other way to execute that script in the context of blogger.com - in such case try reporting it again). Cheers, Gynvael Coldwind On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX antrax...@gmail.com wrote: I know JZ, but this vulnerability is in the post and no in the template. And this could be generated by blogger and affect to administrator! The blogger can edit, but haven't admin. If the blogger post some script, this affect to administrator. --- Saludos Cordiales *ANTRAX* www.antrax-labs.org 2013/1/21 Jakub Zoczek zoc...@gmail.com Hi, *Execution of owner-supplied JavaScript on Blogger:* Blogger users are permitted to place custom JavaScript in their own blog templates and blog posts; our take on this is that blogs are user-generated content, not different from any third-party website on the Internet. Naturally, for your safety, we do employ spam and malware detection technologies - but we believe that the flexibility in managing your own content is essential to the success of our blogging platform. *Therefore, the ability to execute owner-supplied scripts on your own blog is not considered to be a vulnerability. That being said, the ability to inject arbitrary JavaScript onto somebody else’s blog would likely qualify for a reward! *Source http://www.google.com/about/appsecurity/reward-program/* * Peace, JZ On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX antrax...@gmail.com wrote: Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org Today, I going to shared with you about XSS in blogger. This is a very simple, but isn´t fix yet.. This bug could be exploited by bloggers without administrator permissons. Steps to reproduce the XSS: 1.- Create a new post in the blog and insert some script [image: Imágenes integradas 1] 2.- When the administrator enter in the administration panel in templates section, blogger automatically executed the script, because blogger have a mini-preview in Ahora en el blog, then execute the script [image: Imágenes integradas 2] 3.- Ready! the script has been executed! [image: Imágenes integradas 3] Also, you can steal cookies! [image: Imágenes integradas 4] I reported to google about it, but they not fixed yet. Kind regards partners! *ANTRAX* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- gynvael.coldwind//vx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
Hey ANTRAX, JZ is correct, even in the template view the script is still executed only in the *.blogspot.com context, and not in the context of blogger.com - look at your first screenshot - it's clearly said there that the alert box popped up on *.blogspot.com. It's good to always alert(document.domain) to be sure of the context in which the script is executed. As you know, script executing in the context of the cookieless *. blogspot.com cannot interact / or steal cookies from blogger.com domain. So, to repeat what JZ already said - this is by design, it's not a bug, and no, you cannot attack an admin this way (unless you found some other way to execute that script in the context of blogger.com - in such case try reporting it again). Cheers, Gynvael Coldwind On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX antrax...@gmail.com wrote: I know JZ, but this vulnerability is in the post and no in the template. And this could be generated by blogger and affect to administrator! The blogger can edit, but haven't admin. If the blogger post some script, this affect to administrator. --- Saludos Cordiales *ANTRAX* www.antrax-labs.org 2013/1/21 Jakub Zoczek zoc...@gmail.com Hi, *Execution of owner-supplied JavaScript on Blogger:* Blogger users are permitted to place custom JavaScript in their own blog templates and blog posts; our take on this is that blogs are user-generated content, not different from any third-party website on the Internet. Naturally, for your safety, we do employ spam and malware detection technologies - but we believe that the flexibility in managing your own content is essential to the success of our blogging platform. *Therefore, the ability to execute owner-supplied scripts on your own blog is not considered to be a vulnerability. That being said, the ability to inject arbitrary JavaScript onto somebody else’s blog would likely qualify for a reward! *Source http://www.google.com/about/appsecurity/reward-program/* * Peace, JZ On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX antrax...@gmail.com wrote: Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org Today, I going to shared with you about XSS in blogger. This is a very simple, but isn´t fix yet.. This bug could be exploited by bloggers without administrator permissons . Steps to reproduce the XSS: 1.- Create a new post in the blog and insert some script [image: Imágenes integradas 1] 2.- When the administrator enter in the administration panel in templates section, blogger automatically executed the script, because blogger have a mini-preview in Ahora en el blog, then execute the script [image: Imágenes integradas 2] 3.- Ready! the script has been executed! [image: Imágenes integradas 3] Also, you can steal cookies! [image: Imágenes integradas 4] I reported to google about it, but they not fixed yet. Kind regards partners! *ANTRAX* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- gynvael.coldwind//vx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
Gynvael Coldwind, I know this and I posted a reply in Underc0de about that. http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/ It isn't a critical bug but, despite that, this shouldn't happen.. Thanks all! --- Best Regards *ANTRAX* 2013/1/25 Gynvael Coldwind gynv...@coldwind.pl Hey ANTRAX, JZ is correct, even in the template view the script is still executed only in the *.blogspot.com context, and not in the context of blogger.com - look at your first screenshot - it's clearly said there that the alert box popped up on *.blogspot.com. It's good to always alert(document.domain) to be sure of the context in which the script is executed. As you know, script executing in the context of the cookieless *. blogspot.com cannot interact / or steal cookies from blogger.com domain. So, to repeat what JZ already said - this is by design, it's not a bug, and no, you cannot attack an admin this way (unless you found some other way to execute that script in the context of blogger.com - in such case try reporting it again). Cheers, Gynvael Coldwind On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX antrax...@gmail.com wrote: I know JZ, but this vulnerability is in the post and no in the template. And this could be generated by blogger and affect to administrator! The blogger can edit, but haven't admin. If the blogger post some script, this affect to administrator. --- Saludos Cordiales *ANTRAX* www.antrax-labs.org 2013/1/21 Jakub Zoczek zoc...@gmail.com Hi, *Execution of owner-supplied JavaScript on Blogger:* Blogger users are permitted to place custom JavaScript in their own blog templates and blog posts; our take on this is that blogs are user-generated content, not different from any third-party website on the Internet. Naturally, for your safety, we do employ spam and malware detection technologies - but we believe that the flexibility in managing your own content is essential to the success of our blogging platform. *Therefore, the ability to execute owner-supplied scripts on your own blog is not considered to be a vulnerability. That being said, the ability to inject arbitrary JavaScript onto somebody else’s blog would likely qualify for a reward! *Source http://www.google.com/about/appsecurity/reward-program/* * Peace, JZ On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX antrax...@gmail.com wrote: Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org Today, I going to shared with you about XSS in blogger. This is a very simple, but isn´t fix yet.. This bug could be exploited by bloggers without administrator permissons. Steps to reproduce the XSS: 1.- Create a new post in the blog and insert some script [image: Imágenes integradas 1] 2.- When the administrator enter in the administration panel in templates section, blogger automatically executed the script, because blogger have a mini-preview in Ahora en el blog, then execute the script [image: Imágenes integradas 2] 3.- Ready! the script has been executed! [image: Imágenes integradas 3] Also, you can steal cookies! [image: Imágenes integradas 4] I reported to google about it, but they not fixed yet. Kind regards partners! *ANTRAX* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- gynvael.coldwind//vx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
