[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] [0 Day] XSS Persistent in Blogspot of Google
From: antisnatchor <antisnatchor () gmail ! com>
Date: 2013-01-29 11:03:21
Message-ID: 5107AC79.7080207 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Agree with Michal,
at the end you achieve code execution with an XSS as well, it's just in
the DOM.
Depending on the attack surface, browser type and so on, this can be
devastating.
I bet you remember the XSS on Amazon EC2 web interface, which combined
with XSRF lead to stealing x.509 certificates and so on :D
Cheers
antisnatchor
> ------------------------------------------------------------------------
>
> Michal Zalewski <mailto:lcamtuf@coredump.cx>
> January 27, 2013 7:17 PM
>
>
> OGMMM WTFF 0DAY XSS
> Sorry, getting a bit tired of these.
>
>
> Well, the world is changing. You can probably do a lot more direct
> damage with a (legit) XSS in a high-value site than with a local
> privilege escalation in sudo.
>
> XSS reports are less actionable for the average reader, but full
> disclosure is probably still beneficial, in that it provides data
> points about the types of flaws a particular vendor happens to have,
> and the speed and quality of the deployed fixes.
>
> Of course, many of the XSS reports in knorr.com <http://knorr.com> and
> similarly exciting destinations are zzzzzzzzzz...
>
> /mz
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> Elfius <mailto:elfius@gmail.com>
> January 25, 2013 11:56 PM
>
>
> OGMMM WTFF 0DAY XSS
>
> Sorry, getting a bit tired of these.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> ANTRAX <mailto:antrax.bt@gmail.com>
> January 25, 2013 3:50 PM
>
>
> Gynvael Coldwind, I know this and I posted a reply in Underc0de about
> that.
>
> http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/
>
> It isn't a critical bug but, despite that, this shouldn't happen..
>
> Thanks all!
>
> ---
> Best Regards
> *ANTRAX*
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> Gynvael Coldwind <mailto:gynvael@coldwind.pl>
> January 25, 2013 1:24 PM
>
>
> Hey ANTRAX,
>
> JZ is correct, even in the template view the script is still executed
> only in the *.blogspot.com <http://blogspot.com> context, and not in
> the context of blogger.com <http://blogger.com> - look at your first
> screenshot - it's clearly said there that the alert box popped up on
> *.blogspot.com <http://blogspot.com>.
>
> It's good to always alert(document.domain) to be sure of the context
> in which the script is executed.
> As you know, script executing in the context of the cookieless
> *.blogspot.com <http://blogspot.com> cannot interact / or steal
> cookies from blogger.com <http://blogger.com> domain.
>
> So, to repeat what JZ already said - this is by design, it's not a
> bug, and no, you cannot attack an admin this way (unless you found
> some other way to execute that script in the context of blogger.com
> <http://blogger.com> - in such case try reporting it again).
>
> Cheers,
> Gynvael Coldwind
>
>
>
>
>
>
> --
> gynvael.coldwind//vx
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> ANTRAX <mailto:antrax.bt@gmail.com>
> January 22, 2013 12:11 AM
>
>
> I know JZ, but this vulnerability is in the post and no in the template.
> And this could be generated by blogger and affect to administrator!
> The blogger can edit, but haven't admin. If the blogger post some
> script, this affect to administrator.
>
>
> ---
> Saludos Cordiales
> *ANTRAX*
> www.antrax-labs.org <http://www.antrax-labs.org>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
[Attachment #5 (multipart/related)]
[Attachment #7 (text/html)]
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Agree with Michal,<br>
<br>
at the end you achieve code execution with an XSS as well, it's just in
the DOM.<br>
Depending on the attack surface, browser type and so on, this can be
devastating.<br>
<br>
I bet you remember the XSS on Amazon EC2 web interface, which combined
with XSRF lead to stealing x.509 certificates and so on :D<br>
<br>
Cheers<br>
antisnatchor<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:CALx_OUBYeU1Sq_CxtLeZAcm9UavYOok=-g-Ye7UmbhJVb-gBNQ@mail.gmail.com"
type="cite">
<div style="margin-left:40px"><hr style="border:none 0;border-top:1px
dotted #B5B5B5;height:1px;margin:0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.08030100.08050306@gmail.com"
photoaddress="lcamtuf@coredump.cx" photoname="Michal Zalewski"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:lcamtuf@coredump.cx" style="color:#2057EF
!important;text-decoration:none !important;">Michal Zalewski</a><br><font
color="#888888">January 27, 2013 7:17 PM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br><div class="gmail_quote"><blockquote
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"
class="gmail_quote">OGMMM WTFF 0DAY XSS<br>Sorry, getting a bit tired of
these.</blockquote><div><br></div><div>Well, the world is changing. You
can probably do a lot more direct damage with a (legit) XSS in a
high-value site than with a local privilege escalation in sudo.</div>
<div><br></div><div>XSS reports are less actionable for the average
reader, but full disclosure is probably still beneficial, in that it
provides data points about the types of flaws a particular vendor
happens to have, and the speed and quality of the deployed fixes.</div>
<div><br></div><div>Of course, many of the XSS reports in <a
moz-do-not-send="true" href="http://knorr.com">knorr.com</a> and
similarly exciting destinations are zzzzzzzzzz...</div><div><br></div><div>/mz</div></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext" \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted \
and sponsored by Secunia - <a class="moz-txt-link-freetext" \
href="http://secunia.com/">http://secunia.com/</a></div><hr style="border: none \
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.08030100.08050306@gmail.com"
photoaddress="elfius@gmail.com" photoname="Elfius"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:elfius@gmail.com" style="color:#2057EF
!important;text-decoration:none !important;">Elfius</a><br><font
color="#888888">January 25, 2013 11:56 PM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br>OGMMM WTFF 0DAY XSS<br><br>Sorry, getting a bit
tired of these.<div><br><br></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext" \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted \
and sponsored by Secunia - <a class="moz-txt-link-freetext" \
href="http://secunia.com/">http://secunia.com/</a></div><hr style="border: none \
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.08030100.08050306@gmail.com"
photoaddress="antrax.bt@gmail.com" photoname="ANTRAX"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:antrax.bt@gmail.com" style="color:#2057EF
!important;text-decoration:none !important;">ANTRAX</a><br><font
color="#888888">January 25, 2013 3:50 PM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br>Gynvael Coldwind, I know this and I posted a
reply in Underc0de about that.<br><br><a moz-do-not-send="true"
href="http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/">http://underc0de.org/foro/hacking-showoff/xss-persistente-blogger-13978/</a><br>
<br><span class="short_text" id="result_box" lang="en"><span class="hps">It
isn't a critical bug but, despite that, this shouldn't happen..</span></span><br><br>Thanks
all!<br><div><br>---<br>Best Regards<br><b>ANTRAX</b><br>
<br></div>
<br><br><br>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext" \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted \
and sponsored by Secunia - <a class="moz-txt-link-freetext" \
href="http://secunia.com/">http://secunia.com/</a></div><hr style="border: none \
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.08030100.08050306@gmail.com"
photoaddress="gynvael@coldwind.pl" photoname="Gynvael Coldwind"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:gynvael@coldwind.pl" style="color:#2057EF
!important;text-decoration:none !important;">Gynvael Coldwind</a><br><font
color="#888888">January 25, 2013 1:24 PM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br><div dir="ltr">Hey ANTRAX,<div><br></div><div
style="">JZ is correct, even in the template view the script is still
executed only in the *.<a moz-do-not-send="true"
href="http://blogspot.com">blogspot.com</a> context, and not in the
context of <a moz-do-not-send="true" href="http://blogger.com">blogger.com</a>
- look at your first screenshot - it's clearly said there that the
alert box popped up on *.<a moz-do-not-send="true"
href="http://blogspot.com">blogspot.com</a>.</div>
<div style=""><br></div><div style="">It's good to always
alert(document.domain) to be sure of the context in which the script is
executed.</div><div style="">As you know, script executing in the
context of the cookieless *.<a moz-do-not-send="true"
href="http://blogspot.com">blogspot.com</a> cannot interact / or steal
cookies from <a moz-do-not-send="true" href="http://blogger.com">blogger.com</a>
domain.</div>
<div style=""><br></div><div style="">So, to repeat what JZ already said
- this is by design, it's not a bug, and no, you cannot attack an admin
this way (unless you found some other way to execute that script in the
context of <a moz-do-not-send="true" href="http://blogger.com">blogger.com</a>
- in such case try reporting it again).</div>
<div style=""><br></div><div style="">Cheers,</div><div style="">Gynvael
Coldwind</div><div style=""><br></div><div class="gmail_extra"><br><br><br><br
clear="all"><div><br></div>-- <br>gynvael.coldwind//vx
</div></div>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext" \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted \
and sponsored by Secunia - <a class="moz-txt-link-freetext" \
href="http://secunia.com/">http://secunia.com/</a></div><hr style="border: none \
0;border-top:1px dotted #B5B5B5;height:1px;margin:15px 0 0 0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.08030100.08050306@gmail.com"
photoaddress="antrax.bt@gmail.com" photoname="ANTRAX"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:antrax.bt@gmail.com" style="color:#2057EF
!important;text-decoration:none !important;">ANTRAX</a><br><font
color="#888888">January 22, 2013 12:11 AM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br>I know JZ, but this vulnerability is in the
post and no in the template.<br>And this could be generated by blogger
and affect to administrator!<br>The blogger can edit, but haven't admin.
If the blogger post some script, this affect to administrator.<br>
<br clear="all"><div><br>---<br>Saludos Cordiales<br><b>ANTRAX</b><br><a
moz-do-not-send="true" target="_blank"
href="http://www.antrax-labs.org">www.antrax-labs.org</a><br></div>
<br><br><br>
<div>_______________________________________________<br>Full-Disclosure -
We believe in it.<br>Charter:
<a class="moz-txt-link-freetext" \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted \
and sponsored by Secunia - <a class="moz-txt-link-freetext" \
href="http://secunia.com/">http://secunia.com/</a></div></div> </blockquote>
</body></html>
["compose-unknown-contact.jpg" (image/jpeg)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic