Gynvael Coldwind, I know this and I posted a reply in Underc0de about that.
http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/ It isn't a critical bug but, despite that, this shouldn't happen.. Thanks all! --- Best Regards *ANTRAX* 2013/1/25 Gynvael Coldwind <gynv...@coldwind.pl> > Hey ANTRAX, > > JZ is correct, even in the template view the script is still executed only > in the *.blogspot.com context, and not in the context of blogger.com - > look at your first screenshot - it's clearly said there that the alert box > popped up on *.blogspot.com. > > It's good to always alert(document.domain) to be sure of the context in > which the script is executed. > As you know, script executing in the context of the cookieless *. > blogspot.com cannot interact / or steal cookies from blogger.com domain. > > So, to repeat what JZ already said - this is by design, it's not a bug, > and no, you cannot attack an admin this way (unless you found some other > way to execute that script in the context of blogger.com - in such case > try reporting it again). > > Cheers, > Gynvael Coldwind > > > > On Tue, Jan 22, 2013 at 1:11 AM, ANTRAX <antrax...@gmail.com> wrote: > >> I know JZ, but this vulnerability is in the post and no in the template. >> And this could be generated by blogger and affect to administrator! >> The blogger can edit, but haven't admin. If the blogger post some script, >> this affect to administrator. >> >> >> >> --- >> Saludos Cordiales >> *ANTRAX* >> www.antrax-labs.org >> >> >> 2013/1/21 Jakub Zoczek <zoc...@gmail.com> >> >>> Hi, >>> >>> *Execution of owner-supplied JavaScript on Blogger:* Blogger users are >>> permitted to place custom JavaScript in their own blog templates and blog >>> posts; our take on this is that blogs are user-generated content, not >>> different from any third-party website on the Internet. Naturally, for your >>> safety, we do employ spam and malware detection technologies - but we >>> believe that the flexibility in managing your own content is essential to >>> the success of our blogging platform. >>> >>> *Therefore, the ability to execute owner-supplied scripts on your own >>> blog is not considered to be a vulnerability. That being said, the ability >>> to inject arbitrary JavaScript onto somebody else’s blog would likely >>> qualify for a reward! >>> >>> *Source <http://www.google.com/about/appsecurity/reward-program/>* >>> * >>> >>> >>> Peace, >>> JZ >>> >>> >>> On Tue, Jan 22, 2013 at 12:01 AM, ANTRAX <antrax...@gmail.com> wrote: >>> >>>> Hi all, I'm ANTRAX from Argentina, and I'm owner of www.underc0de.org >>>> Today, I going to shared with you about XSS in blogger. This is a very >>>> simple, but isn´t fix yet.. >>>> This bug could be exploited by bloggers without administrator >>>> permissons. >>>> >>>> Steps to reproduce the XSS: >>>> >>>> 1.- Create a new post in the blog and insert some script >>>> >>>> [image: Imágenes integradas 1] >>>> >>>> 2.- When the administrator enter in the administration panel in >>>> "templates" section, blogger automatically executed the script, because >>>> blogger have a mini-preview in "Ahora en el blog", then execute the script >>>> >>>> [image: Imágenes integradas 2] >>>> >>>> 3.- Ready! the script has been executed! >>>> >>>> [image: Imágenes integradas 3] >>>> >>>> Also, you can steal cookies! >>>> >>>> [image: Imágenes integradas 4] >>>> >>>> I reported to google about it, but they not fixed yet. >>>> >>>> Kind regards partners! >>>> >>>> *ANTRAX* >>>> >>> >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > gynvael.coldwind//vx >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/