Full Disclosure mailing list archives

Re: [Google Chrome Browser] Google Mail Checker Plus: JavaScript Code Execution

From: Jardel Weyrich <jweyrich () gmail com>
Date: Sun, 20 Feb 2011 15:23:00 -0300

The XSS in Google Mail Checker Plus was reported in 06/2010. However, the
latest version is still vulnerable.

The PoC can be an email with a body like this:
Anything in this line, or nothing at all
<script>alert('you are vulnerable');</script>

I posted a notification on their support forum yesterday.

-jardel

On Sat, Feb 19, 2011 at 7:59 PM, ck <c.kernstock () googlemail com> wrote:

Well, at least "><script>alert(/XSS/)</script> works great:

http://img6.imagebanana.com/img/4tyst18d/one.png
http://img6.imagebanana.com/img/wh9zwmc6/two.png

Thx to Friedrich Hausberger for his mail to FD :)

ck

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Google Chrome Browser] Google Mail Checker Plus: JavaScript Code Execution ck (Feb 20)
- Re: [Google Chrome Browser] Google Mail Checker Plus: JavaScript Code Execution Jardel Weyrich (Feb 20)