About
Title: Reflected XSS in Google GroupsBusiness Risk: High
Discovery Date: October/November
Payload: <href="url" onmouseover=alert(1)>
Author: Manuel Sousa (me)
Steps to Reproduce
This bug requires 2 accounts.
1. Login to Google Groups With Account 1
2. Create a group.
3. Publish in the group and Upload a .swf file with a payload written in the file. (Download here!)
4. Now click on "see"5. Now you will see a XSS in “sandbox” domain (No problem ;))
Now we have a link to acesss the .swf file (https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/xss.swf?part=4&authuser=0&view=1)
6. Logout Google Services with Account 1º
7. Login to Google Services With Account 2º
8. Now acess the file created before with account 1º
9. Now we will see a forbidden page. (the file is restricted)
10. Inject the code ( <href="url" onmouseover=alert(1)>SOMETEXTHERE)
11. Injected link: https://groups.google.com/
Disclosure Timeline
October 24, 2013 at 11:00 PM (WET Time): Vulnerability Discovered
October 25, 2013 at 00:05 AM (WET Time): Initial Report
October 25, 2013 at 00:05 AM (WET Time): Autoresponse from Security bot
October 25, 2013 at 8:22 PM (WET Time): First response from Security Team
November 5, 2013 at 22:46 AM (WET Time): Bounty Rewarded.
November 7, 2013: Vulnerability Fixed
You can see my name in Hall of Fame, and I promise, I'll be there more often ;). (http://www.google.com/about/ap psecurity/hall-of-fame/reward/)
Sorry about my English :3
can give me google secuirity team email add
ReplyDeleteHow to play roulette online with real money - Drmcd
ReplyDeleteHow to play roulette online with real 남원 출장마사지 money · Play 양주 출장샵 the roulette game online 청주 출장샵 · Make your roulette wager on any number of points 밀양 출장마사지 · Take the advantage of 김천 출장마사지