Real Cases
Re: Hacked by Digg Fans Aug 01 2006 08:16AM
Marios A. Spinthiras (mario netway com cy)

Take another case for example. This is a copy of an email sent to the
sec-focus mailing lists a while back regarding a google similar bug.


Google is vulnerable to cross site scripting attacks. I found a
function built off their add RSS feed function that returns HTML if a
valid feed is found. It is intended as an AJAXy (dynamic JavaScript
anyway) call from an inline function and the page is intended to do
sanitation of the function. However, that's too late, and it returns
the HTML as a query string, that is rendered, regardless of the fact
that it is simply a JavaScript snippet.

Here is the post that explains the whole thing:


Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!


It clearly shows that indeed you are right when it comes to low security
risks. I believe google has not fixed it to this present day.

Just adding a little cent to the dollar.

Marios. A. Spinthiras
Netway Ltd
Nicosia, Cyprus
----- Original Message -----
From: "David Vieira-Kurz" <admin (at) majorsecurity (dot) de [email concealed]>
To: "Marios A. Spinthiras" <mario (at) (dot) cy [email concealed]>
Sent: Tuesday, August 01, 2006 10:53 AM
Subject: Re: Hacked by Digg Fans

> Hello Marios,
> as far as I know they didn't response to by bugtraq post about xss
> vulnerabilities on their page or on the BugTraqs itselves..
> For sure you're right about the serious problem to prioritize, but it's
> not wondering me that some people from could inject some XSS-Code
> there.
> In the past I have checked a couple of well known homepages. Most of them
> had had XSS vulnerabilities. After my discovery I wrote them that there
> are some bugs
> and explained them how a potential hacker could use/manipulate it. It
> always took very long time before they wrote back and a couple of weeks
> until they fixed the bug
> - even if I sent them a bugfix which they only had to include to their
> page by "copy & paste".
> My own oppinion is that most big companys don't even matter about such
> "low risk" bugs.
> So far. Thanks for your response.
> Greetings,
> David
>> G'Morning David,
>> I checked this out personally myself and I think the team has responded
>> to your bugtraq post. Disregarding that I think the reason they did'nt
>> remedy this so far is due to its severity. Its not that much of a serious
>> problem to prioritize. It only outputs wrong. No writes are made anywhere
>> or execution..
>> Thanks,
>> Marios A. Spinthiras
>> NetWay Ltd
>> Nicosia , Cyprus
>> ----- Original Message ----- From: <admin (at) majorsecurity (dot) de [email concealed]>
>> To: <realcases (at) securityfocus (dot) com [email concealed]>
>> Sent: Monday, July 31, 2006 8:18 PM
>> Subject: Re: Hacked by Digg Fans
>>> Hello. I have had advised that there are some Cross Site Scripting
>>> Vulnerabilities on homepage. I don't understand why no one
>>> from the Netscape team react to my advise and fixed the bugs....
>>> Here's the original advisory:
>>> Thanks for your attention.
>>> David

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus