Full Disclosure mailing list archives
Re: Re: [WEB SECURITY] Cross Site Scripting in Google
From: n3td3v <xploitable () gmail com>
Date: Wed, 5 Jul 2006 19:49:11 +0100
This one is a bogus... On 7/5/06, RSnake <rsnake () shocking com> wrote:
Here's another one: http://www.google.com/url?sa=D&q=http://www.fthe.net
Wrong! That redirection URL is doing exactly what its ment to do. The system is used when you post a URL on a Google Groups description for example. There is no exploit there, and it won't be fixed by Google, because theres nothing to fix. Try it for yourself. Create yourself a Google Group and put in a URL in the group description, and you will see your URL has been added to the end of www.google.com/url Likewise on Yahoo, Yahoo have rd.yahoo.com for exactly the same reason, to keep track of URLs posted by the public on their web applications. Google and Yahoo use the system, so they can store URLs on a database, where they have full control of URLs post by the public. Google and Yahoo are sick of people mentioning their URL redirection system on security lists. The system was designed to do what you're showing in your example, by default. Is designed for the only purpose you're showing everyone right now. There is no threat beyond what the design specification of the URL redirection web address is supposed to do. Please go away and only post _real_ disclosures for Google and Yahoo in future. n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross Site Scripting in Google RSnake (Jul 04)
- Re: [WEB SECURITY] Cross Site Scripting in Google bugtraq (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google mikeiscool (Jul 05)
- Re: [WEB SECURITY] Cross Site Scripting in Google RSnake (Jul 05)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google n3td3v (Jul 05)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google Javor Ninov (Jul 05)
- RE: Re: [WEB SECURITY] Cross Site Scripting inGoogle Edward Pearson (Jul 06)
- Re: [WEB SECURITY] Cross Site Scripting in Google bugtraq (Jul 05)