Full Disclosure mailing list archives
Re: Google / GMail bug, all accounts vulnerable
From: Peter Besenbruch <prb () lava net>
Date: Wed, 12 Dec 2007 13:12:23 -1000
On Wednesday 12 December 2007 11:27:28 Steven Adair wrote:
Glad to see we figured it out. :) Yes, "Cross Site Request Forgery" would be the correct term referenced by the acronym in all of the replies (subsequently also the first result in a normal Google query).
And there you have it: I can use Google and Wikipedia. ;)
I'm still not quite sure what the big deal on the favicon stuff in terms of this issue. So lets say you completely disabled favicons altogether. Now when you visit the original PoC - it no longer works. However, if you simply had a 302 or mod_rewrite rule for any image that you actually had written into the source of your page, you could achieve the same result.
You are probably asking the wrong guy, but one of the comments made earlier in this thread claimed that the favicon method bypasses Noscript protections. Aside from XSS blocking, Noscript would eliminate IFRAMEs and most Javascript. Would your technique bypass it? -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google / GMail bug, all accounts vulnerable, (continued)
- Re: Google / GMail bug, all accounts vulnerable Nick FitzGerald (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable jipe foo (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable ad () heapoverflow com (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Kristian Erik Hermansen (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Steven Adair (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Peter Besenbruch (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Steven Adair (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Peter Besenbruch (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Andrew A (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Andrew A (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Andrew A (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 11)