Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Google Message Security SaaS Cross Site Scripting

🗓️ 16 Sep 2010 00:00:00Reported by Dr. Marian VentuneacType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Google Message Security SaaS (Postini) Multiple Cross-Site Scripting (XSS) vulnerabilities in Security Console, Message Center Classic, and Message Center I

Code
`  
  
  
Security Advisory: MVSA-10-002  
Vendor: Google   
Service: Google Message Security SaaS (powered by Postini)  
- Security Console (Admin Console)  
- Message Center Classic  
- Message Center II  
Vulnerabilities: Multiple Cross-Site Scripting (XSS)  
Risk: High   
Attack Vector: From Remote   
Authentication: Required  
Reference: http://www.ventuneac.net/security-advisories/MVSA-10-002  
http://secureappdev.blogspot.com/2010/09/testing-google-message-security-saas.html  
  
  
Description  
  
Multiple persistent and reflected Cross-Site Scripting (XSS) vulnerabilities were identified in Security Console (Admin Console), Message Center Classic and Message Center II services of Google Message Security (powered by Postini).  
  
When exploited, the identified vulnerabilities could lead to Session Hijack, Information Disclosure, force installation of malicious file or Trojan on users' PCs, etc.  
  
  
Security Console (Admin Console)  
--------------------------------  
  
* Persistent XSS: parameter setconf-neworg of /exec/admin_orgs resource allows an attacker to inject malicious HTML and JavaScript code which is persistently stored as part of a sub-organization name (ORGS and USERS>Orgs>Add Sub-Org).   
Additionally, an effective DoS attack can be mounted against the organization's administrators by injecting malicious code which prevents the Web user interface to render properly.  
* Reflected XSS: multiple parameters of /exec/admin_list resource  
* Reflected XSS: multiple parameters of /exec/admin_auth resource.  
  
  
Message Center Classic  
----------------------  
  
* Reflected XSS: parameters add-good_address and add-bad_address of /exec/MsgSet resource.   
  
/exec/MsgSet?action=change_MsgSettings?add-good_addresses=a%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Save+to+List&submit=Save+to+List  
  
/exec/MsgSet?action=change_MsgSettings?add-bad_addresses=a%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Save+to+List&submit=Save+to+List  
  
* Reflected XSS: parameters msgid and disp parameters of /exec/MsgCtr resource.  
  
/exec/MsgCtr?action=display_Message&msgid=" style%3d"display: block; width: 500px; height: 500px; border: 5px solid black" onmouseover%3d"javascript:alert(1)" yyy&disp=M  
  
When Firefox 3.0.x is used (tested with FF 3.0.1), the attack above allows rendering visible the hidden INPUT element. Thus, the injected JavaScript code is successfully executed using onmouseover event.  
  
/exec/MsgCtr?action=display_Message&msgid=yyy&disp=M" onmouseover%3d"javascript: alert(1)"  
  
  
Message Center II  
-----------------  
  
* Reflected XSS: parameters id and source_uri of /msgctr/message_display resource.   
  
/msgctr/message_display?id='%3balert(1)%3b//&source_uri=/app/msgctr/junk_quarantine  
  
/msgctr/message_display?id=yyy&trash=trash&source_uri=%2Fapp%2Fmsgctr%2Ftrash%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E  
  
  
Affected Versions  
  
Security Console build 6_24 (January 2010).  
Message Center Classic build 6_24 (January 2010).  
Message Center II build 6_24 (January 2010), build 6_25 (February 2010), build 6_26 (March 2010) and build 6_27 (April 2010).  
  
  
Mitigation  
  
Google fixed a first batch of vulnerabilities affecting Security Console and Message Center Classic in build 6_25 (February 2010).  
Additional fixes were included in subsequent releases, with the last fixes added in build 6_29 (June 2010).  
  
  
Disclosure Timeline  
  
2010, January 24: Security Console and Message Centre II vulnerabilities discovered  
2010, January 24: Notification sent to Google  
2010, January 25: Google acknowledges the vulnerabilities  
2010, February 22: Google deploys first set of fixes  
2010, April 27: Additional vulnerabilities identified and notification sent to Google  
2010, April 28: Additional vulnerabilities identified and notification sent to Google  
2010, June 21: Google deploys additional fixes  
2010, September 15: MVSA-10-002 advisory published.  
  
  
Credits  
  
Dr. Marian Ventuneac  
http://ventuneac.net  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Sep 2010 00:00Current
0.3Low risk
Vulners AI Score0.3
google message securitysaaspostinicross-site scriptingxsssecurity consolemessage center classicmessage center iiremote attacksession hijackinformation disclosuremalicious filetrojanpersistent xssreflected xssdos attackmitigationdisclosure timeline
32