Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Google Arbitrary URL Redirect Vulnerability

From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 9 Oct 2011 23:57:49 +0300
Hello YGN Ethical Hacker Group!

Few notes concerning your advisory Google: Malware URL Redirection (Google Arbitrary URL Redirect Vulnerability) 
(http://bl0g.yehg.net/2011/08/google-malware-url-redirection-google.html).

In 2008 (23.01.2008) I've already wrote about 11 redirectors of Google (http://websecurity.com.ua/1766/) - after I 
wrote about multiple Google's redirectors in 2007 in my Month of Search Engines Bugs project. Some of them repeat 
previously disclosed redirectors, but most are new ones (which I've found in 2007). After that time Google fixed most 
of them, except two ones (and of course, like it often take place with Google, they fixed them hiddenly without 
thanking people, who bring their and everyone attention to vulnerabilities at Google's sites).

Among those redirectors, which I've disclosed in 2008, two are still working (one works automatically and one requires 
hash, which can be easily bypassed, as you wrote in your advisory in details). One of them, which requires hash, it's 
exactly the same redirector, which you wrote about in your advisory.

Another one, which still works and automatically (without hashes):

http://www.google.com/search?q=websecurity.com.ua&btnI=websecurity.com.ua

So Google made some work to fix redirectors (URL Redirector Abuse) at their sites. But there are places for 
improvements ;-) (and they need to handle with these two redirectors).

For Google (if they are not sure to fix them or not) and for those who are interested in this class of vulnerabilities 
I'm recommending to read corresponding articles:

URL Redirector Abuse (WASC-38) in WASC 2.0
http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse

Redirectors: the phantom menace
http://websecurity.com.ua/3495/

Attacks via closed redirectors
http://websecurity.com.ua/3531/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: