Re: XSS?

["Andrew Chan" <andrewchan () dso org sg>]

sorry I made a mistake on the subject during the initial posting. Google was 
not vulnerable to XSS (I actually tested <script> initially also that's why 
the mistake). Previously I tried on a few localized google sites and the 
only site that didn't respond to that query was www.google.mu. It seem that 
google had since solved the problem.

----- Original Message ----- 
From: "Serg Belokamen" <serg.belokamen () gmail com>
To: "Aman Raheja" <araheja () techquotes com>
Cc: <webappsec () securityfocus com>
Sent: Thursday, November 17, 2005 11:32 AM
Subject: Re: XSS?


> URL will change which would make it obvious.
>
> Then again some will buy into it so yeah...
>
> I am kind of on a fence with this one. You did sway my opinion though;
> hence on the fence. I used to be on the other side :)
>
> Don't think Google can do much about though and keep same functionality.
>
>   Serg
>
>
> On 17/11/05, Aman Raheja <araheja () techquotes com> wrote:
> > Why would it not be a problem if someone sends an email with the link
> > http://www.google.com/url?q=http://www.xyz.com and prompt user to sign
> > up for some new google service or even sign in to personalize the google
> > homepage?
> > The user will get redirected to the xyz site which would show google
> > logo and same look and feel and collect the user information - which
> > could potentially be misused. They are probably not going away the
> > credit card or bank information but it is phishing and collecting user
> > information by misleading.
> > AR
> >
> > Serg B. wrote:
> >
> > >I really dont see a problem here?
> > >
> > >Vulnerability? What are you on about? Simple, expected redirect (key
> > >word: expected).
> > >
> > >Here is a more in context example.
> > >
> > >Lets say you have some sort of managment system (lets say a CRM of some
> > >sort) and you search for user with name 'A'. Returned result set
> > >contains 20 matches. You are presented with a list and you choose which
> > >one you want to look at in details. However if result set returned is a
> > >single, exact match then there is absolutely no point showing a list of
> > >matches since we already know that there is only a single match. Hence,
> > >go directly to data, saving time and effort.
> > >
> > >   Serg
> > >
> > >On Tue, 2005-11-15 at 13:51 +0000, Aman Raheja wrote:
> > >
> > >
> > >>This is not XSS but indeed a vulnerability since they are not 
> > >>validating
> > >>the URL and it's irresponsible of google not to take care of this kind 
> > >>of
> > >>vulnerability which would aid phishing.
> > >>
> > >>Aman Raheja
> > >>http://www.techquotes.com
> > >>
> > >>On Tue, 15 Nov 2005 11:52:19 +0800, Andrew Chan <quickt () gmail com> 
> > >>wrote :
> > >>
> > >>
> > >>
> > >>>I tried http://www.google.com/url?q=http://www.microsoft.com and it 
> > >>>got
> > >>>directed. it seems that I received one such phishing email that makes
> > >>>use of this to obfuscate the actual URL lately.
> > >>>