Full Disclosure mailing list archives
Forwarding message vulnerability on Google Groups
From: n3td3v <xploitable () gmail com>
Date: Fri, 16 May 2008 00:46:43 +0100
If joebloggs () google com is banned from a Google Group and xploitable () gmail com is registered with that group, joebloggs () google com can subscribe to a mailing list such as Full-Disclosure and start forwarding all messages xploitable () gmail com sends to that mailing list if xploitable () gmail com is registered to it, and directly post them to the Google Group joebloggs () google com is banned from. This is probably done by the banned joebloggs () google com setting up a filter on Gmail Settings > Filter > Matches: from:(xploitable () gmail com) Do this: Forward to (n3td3v () googlegroups com). Severity of this issue is obviously critical and you should switch the victim's registered (xploitable () gmail com) e-mail address on a Google Group to "moderate" as a work around, until Google Groups fixes this vulnerability. Google Inc. (GOOG) was notified simultaneously as this security advisory was published to the wild. http://finance.google.com/finance?q=NASDAQ:GOOG/ http://groups.google.com/ http://google.com/ All the best, n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Forwarding message vulnerability on Google Groups n3td3v (May 15)