Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Also https://isc.sans.edu/diary.html?storyid=10318 Juha-Matti Michal Zalewski [lcam...@coredump.cx] kirjoitti: FYI, here's a provisional advisory from Microsoft acknowledging this issue: http://www.microsoft.com/technet/security/advisory/2501696.mspx /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
FYI, here's a provisional advisory from Microsoft acknowledging this issue: http://www.microsoft.com/technet/security/advisory/2501696.mspx /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
nice work to MS now, let us to wait for the FIX . . gogogo [image: 2000] hitest 2011/1/28 Michal Zalewski lcam...@coredump.cx: FYI, here's a provisional advisory from Microsoft acknowledging this issue: http://www.microsoft.com/technet/security/advisory/2501696.mspx /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
On Wed, 26 Jan 2011 21:43:28 PST, Michal Zalewski said: The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). Geez. It's 2011, and people are *still* doing that same basic error? /me tries to remember the first ignore the Content-Type header and handle it based on guessing based on filename/extension bug. CA-2001-36 seems to qualify, but I think there were ones before that. Anybody able to remember that far back? pgpnBGsesZFSh.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Security is a general,Many security issues are composed of many different vulnerabilities of different factory. like mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! this vul so we come back this vul need two Conditions 1.www.google.com app don't filter the CRLF 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed -- Both are indispensable. so google's vul is that don't take into account the security implications using mhtml, the MS vul is that it does not honor Content-Type and related headers (or even nosniff). like MZ saiy GG and MS ,both are vul... in addition, if MS saiy this is mhtml: 's original function, So google is very dangerous to the user who using IE Even if MS fixed it. how about the google users who do not have time to upgrade IE ? by superhei hitest 2011/1/26 Michal Zalewski lcam...@coredump.cx: 1.www.google.com app don't filter the CRLF This is not strictly required; there are other scenarios where this vulnerability is exploitable. 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Not a google vuln. Hunt down MSFT to pay for your bug. Oh wait they dont pay for free research.. 0noz, you wont get any candy ! 2011/1/27, IEhrepus 5up3r...@gmail.com: Security is a general,Many security issues are composed of many different vulnerabilities of different factory. like mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! this vul so we come back this vul need two Conditions 1.www.google.com app don't filter the CRLF 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed -- Both are indispensable. so google's vul is that don't take into account the security implications using mhtml, the MS vul is that it does not honor Content-Type and related headers (or even nosniff). like MZ saiy GG and MS ,both are vul... in addition, if MS saiy this is mhtml: 's original function, So google is very dangerous to the user who using IE Even if MS fixed it. how about the google users who do not have time to upgrade IE ? by superhei hitest 2011/1/26 Michal Zalewski lcam...@coredump.cx: 1.www.google.com app don't filter the CRLF This is not strictly required; there are other scenarios where this vulnerability is exploitable. 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] www.google.com xss vulnerability Using mhtml
Long, long time ago, we heard an interesting legend is www.google.com will Pay for its vulnerability,so we want to try ... lucky,A vulnerability has been caught by my friend PZ[http://hi.baidu.com/p__z], this vul is base on 《Hacking with mhtml protocol handler》[http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt]: mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! we are very happy,so we post it to secur...@google.com for the legend :)[2011/01/23].We got a reply soon [2011/01/24]: --- Hi Pavel, Nice catch! I’ve filed a bug internally and will keep you in the loop as things progress. Regards, xxx- Google Security Team -- but . - Hi Pavel, The panel has determined this doesn't qualify for a reward for 2 reasons: 1) A very close variant was publicly disclosed on 21 Jan: http://www.wooyun.org/bugs/wooyun-2010-01199 2) Technically, it's not a bug in Google, it's really a big in IE. Cheers, xxx, Google Security Team --- and Today we test the vul again ,it has been fixed .[2011/01/26] Thus, we understand the unspoken rules of this, This is a football game, the vulnerability is the ball , MS and GG are the players by superhei from http://www.80vul.com hitest ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Football field? More like dodgeball !!! On Wed, Jan 26, 2011 at 10:33 AM, IEhrepus 5up3r...@gmail.com wrote: Long, long time ago, we heard an interesting legend is www.google.com will Pay for its vulnerability,so we want to try ... lucky,A vulnerability has been caught by my friend PZ[http://hi.baidu.com/p__z], this vul is base on 《Hacking with mhtml protocol handler》[ http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt ]: mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! we are very happy,so we post it to secur...@google.com for the legend :)[2011/01/23].We got a reply soon [2011/01/24]: --- Hi Pavel, Nice catch! I’ve filed a bug internally and will keep you in the loop as things progress. Regards, xxx- Google Security Team -- but . - Hi Pavel, The panel has determined this doesn't qualify for a reward for 2 reasons: 1) A very close variant was publicly disclosed on 21 Jan: http://www.wooyun.org/bugs/wooyun-2010-01199 2) Technically, it's not a bug in Google, it's really a big in IE. Cheers, xxx, Google Security Team --- and Today we test the vul again ,it has been fixed .[2011/01/26] Thus, we understand the unspoken rules of this, This is a football game, the vulnerability is the ball , MS and GG are the players by superhei from http://www.80vul.com hitest ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
I woudn't like to discourage ppl submitting vulns to vendors but this is the response you'll most likely to get from those kind of vendors no matter what you found in their system. I had more than a dozen similar experience like yours. Now it's public + fixed and you gotta get nothing beside these replies (: Message: 10 Date: Wed, 26 Jan 2011 01:33:16 -0800 From: IEhrepus 5up3r...@gmail.com Subject: [Full-disclosure] www.google.com xss vulnerability Using mhtml To: full-disclosure@lists.grok.org.uk Cc: s...@rckc.at Message-ID: aanlktinf+xicfvrw86cm-m0uhw_o0xzk1xfhfwtnr...@mail.gmail.comaanlktinf%2bxicfvrw86cm-m0uhw_o0xzk1xfhfwtnr...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 Long, long time ago, we heard an interesting legend is www.google.com will Pay for its vulnerability,so we want to try ... lucky,A vulnerability has been caught by my friend PZ[http://hi.baidu.com/p__z], this vul is base on ?Hacking with mhtml protocol handler?[ http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt ]: mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! we are very happy,so we post it to secur...@google.com for the legend :)[2011/01/23].We got a reply soon [2011/01/24]: --- Hi Pavel, Nice catch! I?ve filed a bug internally and will keep you in the loop as things progress. Regards, xxx- Google Security Team -- but . - Hi Pavel, The panel has determined this doesn't qualify for a reward for 2 reasons: 1) A very close variant was publicly disclosed on 21 Jan: http://www.wooyun.org/bugs/wooyun-2010-01199 2) Technically, it's not a bug in Google, it's really a big in IE. Cheers, xxx, Google Security Team --- and Today we test the vul again ,it has been fixed .[2011/01/26] Thus, we understand the unspoken rules of this, This is a football game, the vulnerability is the ball , MS and GG are the players by superhei from http://www.80vul.com hitest ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
I woudn't like to discourage ppl submitting vulns to vendors but this is the response you'll most likely to get from those kind of vendors no matter what you found in their system. I had more than a dozen similar experience like yours. Now it's public + fixed and you gotta get nothing beside these replies (: I think you'd be surprised. Our reward panel consists solely of people you would recognize from this list, BUGTRAQ, or vendor advisories; and we are very consistent, timely, and pretty generous in rewarding a large proportion of all incoming reports. Ask around :-) In this particular case, though, the underlying problem is clearly a browser-side flaw that is nearly impossible to fully address on web application side - and one that first surfaced in 2004, then wasn't fully fixed in 2007: http://openmya.hacker.jp/hasegawa/security/ms07-034.txt Even in cases like this, we sometimes reward the reporter when we are given advance notice, and there are clear ways we can protect our users. But in this instance, the report is already public, we are already aware it, and we are trying to deploy basic workarounds in a number of exposed spots; and as noted, realistically, there is a limited recourse any web app provider will have. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Obviously this problem is not clear. A very similar problem ,like the HTTP Response Splitting ,Whose vulnerability? webapp or Server-side language? so we come back this vul need two Conditions 1.www.google.com app don't filter the CRLF 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed so the football game is going by superhei hitest 2011/1/26 Michal Zalewski lcam...@coredump.cx: I woudn't like to discourage ppl submitting vulns to vendors but this is the response you'll most likely to get from those kind of vendors no matter what you found in their system. I had more than a dozen similar experience like yours. Now it's public + fixed and you gotta get nothing beside these replies (: I think you'd be surprised. Our reward panel consists solely of people you would recognize from this list, BUGTRAQ, or vendor advisories; and we are very consistent, timely, and pretty generous in rewarding a large proportion of all incoming reports. Ask around :-) In this particular case, though, the underlying problem is clearly a browser-side flaw that is nearly impossible to fully address on web application side - and one that first surfaced in 2004, then wasn't fully fixed in 2007: http://openmya.hacker.jp/hasegawa/security/ms07-034.txt Even in cases like this, we sometimes reward the reporter when we are given advance notice, and there are clear ways we can protect our users. But in this instance, the report is already public, we are already aware it, and we are trying to deploy basic workarounds in a number of exposed spots; and as noted, realistically, there is a limited recourse any web app provider will have. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
1.www.google.com app don't filter the CRLF This is not strictly required; there are other scenarios where this vulnerability is exploitable. 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
