WebApp Sec mailing list archives

Re: XSS?

From: "Serg B." <serg.belokamen () gmail com>
Date: Wed, 16 Nov 2005 03:20:49 +1100

I really dont see a problem here? 

Vulnerability? What are you on about? Simple, expected redirect (key
word: expected). 

Here is a more in context example.

Lets say you have some sort of managment system (lets say a CRM of some
sort) and you search for user with name 'A'. Returned result set
contains 20 matches. You are presented with a list and you choose which
one you want to look at in details. However if result set returned is a
single, exact match then there is absolutely no point showing a list of
matches since we already know that there is only a single match. Hence,
go directly to data, saving time and effort.

   Serg

On Tue, 2005-11-15 at 13:51 +0000, Aman Raheja wrote:

This is not XSS but indeed a vulnerability since they are not validating 
the URL and it's irresponsible of google not to take care of this kind of 
vulnerability which would aid phishing.

Aman Raheja
http://www.techquotes.com

On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan <quickt () gmail com> wrote :

I tried http://www.google.com/url?q=http://www.microsoft.com and it got
directed. it seems that I received one such phishing email that makes
use of this to obfuscate the actual URL lately.

Current thread:

XSS? Andrew Chan (Nov 15)
- Re: XSS? Tom Gallagher (Nov 15)
- <Possible follow-ups>
- Re: XSS? Aman Raheja (Nov 15)
  - Re: XSS? Serg B. (Nov 15)
    - Re: XSS? Aman Raheja (Nov 17)
    - Re: XSS? Serg Belokamen (Nov 17)
    - Re: XSS? Andrew Chan (Nov 18)
  - Re: XSS? Pilon Mntry (Nov 15)
- RE: XSS? Matt Fisher (Nov 30)