googlecustom-xss.txt

2007-08-08T00:00:00
ID PACKETSTORM:58357
Type packetstorm
Reporter Lostmon
Modified 2007-08-08T00:00:00

Description

                                        
                                            `#####################################################  
Google custom search engine contributors invite XSS  
Vendor url: http://www.google.com  
Product Url: http://www.google.com/coop/cse/  
Advisore url:http://lostmon.blogspot.com/2007/08/  
google-custom-search-engine.html  
Vendor notify :yes vendor confirmed: yes Fixed: YES  
#####################################################  
  
Description:  
  
A Custom Search Engine is a tailored search experience,  
built using Google's core search technology, which  
prioritizes or restricts search results based on websites  
and pages that you specify, and which can be tailored to  
reflect your point of view or area of expertise.  
  
Google Custom search Engine have a flaw that allows a remote  
cross site scripting attack.This flaw exists because the  
application does not validate multiple params upon submission  
to multiple scripts.This could allow a user to create a specially  
invite that would execute arbitrary code in a user's browser  
within the trust relationship between the browser and the server,  
leading to a loss of integrity.  
  
################  
timeline  
###############  
  
discovered: 31-07-2007  
vendor notifY 31-07-2007  
vendor response:31-07-2007  
vendor fix:07-08-2007 (i test it today)  
disclosure:07-08-2007  
  
####################  
explanation  
###################  
  
See this screen Shoot :  
  
http://usuarios.lycos.es/reyfuss/xss/images/Google_custom_search_engine.jpg  
  
Go to  
  
http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine]  
  
and in 'Add a personal note to the invitation' write some javascript  
or html code and them click on 'invite preview'  
this code is execute...  
  
Also the form convert to hexa with semicoloms to html :  
  
  
it works transform to html code , but it does not execute it :)  
  
we can try to convert it in decimal values and it show too the  
html without execute it.  
Only works with 'simple' html  
  
######################### €nd ########################  
  
Thnx To estrella To be my ligth  
Thnx to all Lostmon Team !!  
  
  
--   
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`