Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Google XSS == Gmail pwnage
Posted by: beford
Date: September 24, 2007 01:22AM

http://www.google.com/reviews/polls/display/159769971366811755/blogger_template/vote?purl=blogspot.com%2F&chrtclr=%23599be2&hideq=false&font=normal+normal+100%25+Helvetica%2CArial%2CVerdana%2C%20Trebuchet+MS%20%2C+Sans-serif&u_tz=%22%3EXSS

I've added 2 pocs on my (new :P) blog http://blog.beford.org/?p=3

I'd consider that one of them is kinda scary.



Edited 1 time(s). Last edit at 09/24/2007 02:06AM by beford.

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: ma1
Date: September 24, 2007 05:32AM

Ouch!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: ma1
Date: September 24, 2007 05:58AM

BTW, do you think your host could stand slashdotting?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: Gareth Heyes
Date: September 24, 2007 06:08AM

Nice find beford :)

This proves everything is insecure, there are just degrees of insecurity

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: id
Date: September 24, 2007 12:18PM

ma1 Wrote:
-------------------------------------------------------
> BTW, do you think your host could stand
> slashdotting?


It has at least 3 times.

-id

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: rsnake
Date: September 24, 2007 01:05PM

Plus a bunch of diggs too - and reddits - those were the worst.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: ma1
Date: September 24, 2007 01:29PM

id Wrote:
-------------------------------------------------------
> ma1 Wrote:
> --------------------------------------------------
> -----
> > BTW, do you think your host could stand
> > slashdotting?
>
>
> It has at least 3 times.

Mine too, but I meant beford's ;)

At any rate, good to know for the future...

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: id
Date: September 24, 2007 02:17PM

ah yeah, I should read the thread more carefully...looks like blog.beford.org is hosted, so I'm guessing it could, but he may be charged for bandwidth so I'd wait for a response before doing it.

This server can handle a lot of traffic, but the line is only 768k up, so that's the bottleneck, and I don't really care if it is a bit slow for a day, so go for it if it ever comes up.

-id

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: thrill
Date: September 24, 2007 02:45PM

Quote

and I don't really care if it is a bit slow for a day

That's so noble of you... diq.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: id
Date: September 24, 2007 03:08PM

I swear I'm going to move the server someday...

-id

Options: ReplyQuote
Re: Google XSS == Gmail pwnage
Posted by: thrill
Date: September 25, 2007 01:13PM

Yeah, and it'll probably be the day after I shut it down and move out of my house.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote


Sorry, only registered users may post in this forum.