Full Disclosure mailing list archives
Re: [Google Chrome Browser] Google Mail Checker Plus: JavaScript Code Execution
From: Jardel Weyrich <jweyrich () gmail com>
Date: Sun, 20 Feb 2011 15:23:00 -0300
The XSS in Google Mail Checker Plus was reported in 06/2010. However, the latest version is still vulnerable. The PoC can be an email with a body like this: Anything in this line, or nothing at all <script>alert('you are vulnerable');</script> I posted a notification on their support forum yesterday. -jardel On Sat, Feb 19, 2011 at 7:59 PM, ck <c.kernstock () googlemail com> wrote:
Well, at least "><script>alert(/XSS/)</script> works great: http://img6.imagebanana.com/img/4tyst18d/one.png http://img6.imagebanana.com/img/wh9zwmc6/two.png Thx to Friedrich Hausberger for his mail to FD :) ck _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Google Chrome Browser] Google Mail Checker Plus: JavaScript Code Execution ck (Feb 20)
- Re: [Google Chrome Browser] Google Mail Checker Plus: JavaScript Code Execution Jardel Weyrich (Feb 20)