WebApp Sec mailing list archives
Re: XSS?
From: "Serg B." <serg.belokamen () gmail com>
Date: Wed, 16 Nov 2005 03:20:49 +1100
I really dont see a problem here? Vulnerability? What are you on about? Simple, expected redirect (key word: expected). Here is a more in context example. Lets say you have some sort of managment system (lets say a CRM of some sort) and you search for user with name 'A'. Returned result set contains 20 matches. You are presented with a list and you choose which one you want to look at in details. However if result set returned is a single, exact match then there is absolutely no point showing a list of matches since we already know that there is only a single match. Hence, go directly to data, saving time and effort. Serg On Tue, 2005-11-15 at 13:51 +0000, Aman Raheja wrote:
This is not XSS but indeed a vulnerability since they are not validating the URL and it's irresponsible of google not to take care of this kind of vulnerability which would aid phishing. Aman Raheja http://www.techquotes.com On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan <quickt () gmail com> wrote :I tried http://www.google.com/url?q=http://www.microsoft.com and it got directed. it seems that I received one such phishing email that makes use of this to obfuscate the actual URL lately.