Full Disclosure mailing list archives
Re: XSS vulnerabilities in Google.com
From: "GroundZero Security" <fd () g-0 org>
Date: Wed, 21 Dec 2005 16:03:19 +0100
Sure, but "google != howardsblog.com". A large part of the population (including myself) relies on Google's various services for day-to-day use. I sure as hell would not feel comfortable knowing that I'm using a service that can potentially leak my information.
i'm not talking about some shitty site that noone knows, but a lof of big websites have such vulnerabilities.
That's quite a blanket statement to make. I'm sure a few people in the "security community" would like to know that there exists a vulnerability in a Google service.
yeah maybe but if we end up posting about every site that offers services to users and has xss issues then this list would be reciving a flood of mails :P its not hard to test for xss, so if you are really so afraid of it go test it yourself and notify the website owner.
No. But a site need not be audited to discover a bug.
ah ok so you think illegal activity is the way to go ? you cant just audit any site you want you know, but hey if you want to get a visit from the feds why dont you audit some gov/mil i'm sure there are lots of xss to discover :P
XSS can do a lot of harm. A compromised administrator account is generally a compromised server. There are some good XSS resources on the web you can read up on.
no as they dont rely on /etc/passwd users but have their own database usually via mysql or so and a compromised admin user on some webinterface isnt always going to end up in compromise of the whole server unless the admin is stupid enough to use the same passwords for root and the webbased software. in most cases this will only end up in control of the web parts i.e. some forum. i agree that this is a problem, but its still not resulting in root access on the shell. oh and i dont have to read about it so keep your sarcasm to yourself.
Then, my friend, you have discovered a bug.
mhm sure, imagine you find a DoS in your precious google, then you would take them down and you really belive they would thank you for that ? you would be raided in no time. you think they would belive you that you did it only for a good cause ? yeah right...
"There are 10 types of people. Those who understand binary, and those who don't."
you dont... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS vulnerabilities in Google.com Watchfire Research (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com Stan Bubrouski (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com Mohit Muthanna (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com Romain Chantereau (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com fok yo (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com Mohit Muthanna (Dec 21)
- <Possible follow-ups>
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)