Re: Re: [WEB SECURITY] Cross Site Scripting in Google

[n3td3v <xploitable () gmail com>]

This one is a bogus...

On 7/5/06, RSnake <rsnake () shocking com> wrote:
> Here's another one:
>
> http://www.google.com/url?sa=D&q=http://www.fthe.net

Wrong! That redirection URL is doing exactly what its ment to do. The
system is used when you post a URL on a Google Groups description for
example. There is no exploit there, and it won't be fixed by Google,
because theres nothing to fix. Try it for yourself. Create yourself a
Google Group and put in a URL in the group description, and you will
see your URL has been added to the end of www.google.com/url

Likewise on Yahoo, Yahoo have rd.yahoo.com for exactly the same
reason, to keep track of URLs posted by the public on their web
applications.

Google and Yahoo use the system, so they can store URLs on a database,
where they have full control of URLs post by the public.

Google and Yahoo are sick of people mentioning their URL redirection
system on security lists. The system was designed to do what you're
showing in your example, by default. Is designed for the only purpose
you're showing everyone right now.

There is no threat beyond what the design specification of the URL
redirection web address is supposed to do.

Please go away and only post _real_ disclosures for Google and Yahoo in future.

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/