Re: Vulnerability in Google AJAX Search

[Christian Sciberras <uuf6429 () gmail com>]

Let me get this straight....the vulnerability was in some sample code (if
so, you ought to check out the PHP manual)?

Just asking...

Chris.





2010/11/10 MustLive <mustlive () websecurity com ua>

> Hello Full-Disclosure!
>
> I want to warn you about Cross-Site Scripting vulnerability in Google AJAX
> Search.
>
> In 2007 I already wrote about vulnerability in Google Custom Search Engine
> (http://websecurity.com.ua/1050/) - CVE-2007-3484
> (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3484), and this
> is
> new vulnerability related to Google Custom Search Engine, because AJAX
> Search is one variant of CSE.
>
> -------------------------
> Affected products:
> -------------------------
>
> Potentially vulnerable are all sites and web applications which are using
> Google AJAX Search. Particularly those ones which used AJAX Search before
> 25th of June, 2010, when Google agreed with me and changed documentation of
> AJAX Search to prevent incorrect use of their application.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> http://site/search/?parameter=’;alert(document.cookie);//
>
> This is DOM Based XSS.
>
> For example, in IB Pro CMS (SecurityVulns ID: 11131), where Google AJAX
> Search is using, the next request is used for attack:
>
> http://site/search/?qs=’;alert(document.cookie);//
>
> Besides system IB Promotion Advanced Business Web Suite (IB Pro CMS) and
> sites on it, which contain this vulnerability in Google AJAX Search, such
> vulnerability also took place in other web application. As I found in
> September, Search Api Ajax Google (searchajaxgoogle) extension for TYPO3
> CMS
> is vulnerable for Cross-Site Scripting
> (http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-003/).
>
> ------------
> Timeline:
> ------------
>
> 2010.06.22 - announced at my site.
> 2010.06.23 - informed developers. First they tried to decline, but later
> they agreed with me.
> 2010.06.25 - Google agreed with me and changed documentation of AJAX
> Search.
> 2010.11.10 - disclosed at my site.
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/4309/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/