Home / os / winme

googlecustom-xss.txt

Posted on 08 August 2007

##################################################### Google custom search engine contributors invite XSS Vendor url: http://www.google.com Product Url: http://www.google.com/coop/cse/ Advisore url:http://lostmon.blogspot.com/2007/08/ google-custom-search-engine.html Vendor notify :yes vendor confirmed: yes Fixed: YES ##################################################### Description: A Custom Search Engine is a tailored search experience, built using Google's core search technology, which prioritizes or restricts search results based on websites and pages that you specify, and which can be tailored to reflect your point of view or area of expertise. Google Custom search Engine have a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate multiple params upon submission to multiple scripts.This could allow a user to create a specially invite that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. ################ timeline ############### discovered: 31-07-2007 vendor notifY 31-07-2007 vendor response:31-07-2007 vendor fix:07-08-2007 (i test it today) disclosure:07-08-2007 #################### explanation ################### See this screen Shoot : http://usuarios.lycos.es/reyfuss/xss/images/Google_custom_search_engine.jpg Go to http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine] and in 'Add a personal note to the invitation' write some javascript or html code and them click on 'invite preview' this code is execute... Also the form convert to hexa with semicoloms to html : it works transform to html code , but it does not execute it :) we can try to convert it in decimal values and it show too the html without execute it. Only works with 'simple' html #########################

 

TOP