RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
As long as there are NO RULES i.e. standards which companies MUST adhere to in order to ensure an application is built for suitability for purpose and a basic set of security principles the current state of software development will continue. There will be those large software vendors which will bend to pressure from large corporations but without a LEGAL framework the huge numbers of small to middle size applications vendors who would prefer smoke and mirrors will continue with that theme since it is zero cost. -Original Message- From: tcp fin [mailto:[EMAIL PROTECTED] Sent: 11 July 2006 05:30 To: Martin O'Neal; [EMAIL PROTECTED]; RSnake Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google Hey Martin , I agree with u partly but there are vendors out there in the market who has Dont know DOnt care attitude. If thats the case after idetifying and exploiting the vulnerability in the same vendor product , I personally would not like to waste my and your time with vendor who did not give us fav response before. I would refrain from taking names but I have seen that happening in the past and still some of those vul are existing in those products. However no one can deny Full Disclosure with responsibility the responsible Disclosure !!! Regards, TCP-FIN --- Martin O'Neal <[EMAIL PROTECTED]> wrote: > > > my opinion is that full disclosure is not for > vendors .. > > it's for users. full disclosure is for us to know > how to > > react on certain threads. > > Which is just fine if you are technically competent > to understand the > threat, and there is also a valid mitigating > strategy you can employ > immediately. For the vast majority of situations > though, this just > isn't the case. The users are not technically > competent enough to > understand the true threat posed by an entry on a > news group (which are > generally hopelessly incomplete and/or factually > inaccurate) and then > this is coupled with a vulnerable product that may > be essential, > difficult to protect, and a stable official fix that > may be weeks or > months away from delivery. > > I personally also believe in full disclosure, but it > has to be delivered > in a responsible fashion. Dispatching > vulnerabilities to a public list > without even attempting to contact the vendor is > clearly not in the best > interest of the vendors nor the great majority of > the user base. > > Martin... > > > > -- > CONFIDENTIALITY: This e-mail and any files > transmitted with it are > confidential and intended solely for the use of the > recipient(s) only. > Any review, retransmission, dissemination or other > use of, or taking > any action in reliance upon this information by > persons or entities > other than the intended recipient(s) is prohibited. > If you have > received this e-mail in error please notify the > sender immediately > and destroy the material whether stored on a > computer or otherwise. > -- > DISCLAIMER: Any views or opinions presented within > this e-mail are > solely those of the author and do not necessarily > represent those > of Corsaire Limited, unless otherwise specifically > stated. > -- > Corsaire Limited, 3 Tannery House, Tannery Lane, > Send, Surrey, GU23 7EF > Telephone: +44(0)1483-226000 > Email:[EMAIL PROTECTED] > > > - > Sponsored by: Watchfire > > Securing a web application goes far beyond testing > the application using > manual processes, or by using automated systems and > tools. Watchfire's > "Web Application Security: Automated Scanning or > Manual Penetration > Testing?" whitepaper examines a few vulnerability > detection methods - > specifically comparing and contrasting manual > penetration testing with > automated scanning tools. Download it today! > > https://www.watchfire.com/securearea/whitepapers.aspx?id=70150008Vmm > -- > > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that ha
RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
Hey Martin , I agree with u partly but there are vendors out there in the market who has Dont know DOnt care attitude. If thats the case after idetifying and exploiting the vulnerability in the same vendor product , I personally would not like to waste my and your time with vendor who did not give us fav response before. I would refrain from taking names but I have seen that happening in the past and still some of those vul are existing in those products. However no one can deny Full Disclosure with responsibility the responsible Disclosure !!! Regards, TCP-FIN --- Martin O'Neal <[EMAIL PROTECTED]> wrote: > > > my opinion is that full disclosure is not for > vendors .. > > it's for users. full disclosure is for us to know > how to > > react on certain threads. > > Which is just fine if you are technically competent > to understand the > threat, and there is also a valid mitigating > strategy you can employ > immediately. For the vast majority of situations > though, this just > isn't the case. The users are not technically > competent enough to > understand the true threat posed by an entry on a > news group (which are > generally hopelessly incomplete and/or factually > inaccurate) and then > this is coupled with a vulnerable product that may > be essential, > difficult to protect, and a stable official fix that > may be weeks or > months away from delivery. > > I personally also believe in full disclosure, but it > has to be delivered > in a responsible fashion. Dispatching > vulnerabilities to a public list > without even attempting to contact the vendor is > clearly not in the best > interest of the vendors nor the great majority of > the user base. > > Martin... > > > > -- > CONFIDENTIALITY: This e-mail and any files > transmitted with it are > confidential and intended solely for the use of the > recipient(s) only. > Any review, retransmission, dissemination or other > use of, or taking > any action in reliance upon this information by > persons or entities > other than the intended recipient(s) is prohibited. > If you have > received this e-mail in error please notify the > sender immediately > and destroy the material whether stored on a > computer or otherwise. > -- > DISCLAIMER: Any views or opinions presented within > this e-mail are > solely those of the author and do not necessarily > represent those > of Corsaire Limited, unless otherwise specifically > stated. > -- > Corsaire Limited, 3 Tannery House, Tannery Lane, > Send, Surrey, GU23 7EF > Telephone: +44(0)1483-226000 > Email:[EMAIL PROTECTED] > > > - > Sponsored by: Watchfire > > Securing a web application goes far beyond testing > the application using > manual processes, or by using automated systems and > tools. Watchfire's > "Web Application Security: Automated Scanning or > Manual Penetration > Testing?" whitepaper examines a few vulnerability > detection methods - > specifically comparing and contrasting manual > penetration testing with > automated scanning tools. Download it today! > > https://www.watchfire.com/securearea/whitepapers.aspx?id=70150008Vmm > -- > > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
On 7/7/06, Mike Duncan <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin O'Neal wrote: Actually, I think this is the point the author was trying to make. We should not be thinking about the interests of a company who has ignored issues in the past. Ignored what? A non-security alert that was probably understood as a joke? The author did the right thing here by posting examples in the past of Google ignoring possible issues with their website. Just because someone does not get a reply to an email does not mean that the issue(s) are ignored. I think the author actually went above and beyond the "requirements" of the list(s) and its reader base as well. I think not. http://www.wiretrip.net/rfp/policy.html And the debate continues... Nothing to really debate. This list is not a band wagon. You should not just jump on and assume you know the ACCEPTED and UNDERSTOOD guidelines. On top of that, what is up with your ignorance with adding every person in the thread to your CC list? You like duplicate emails so force them on other people? Read http://www.ietf.org/rfc/rfc1855.txt Mike Duncan [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFErnK1OSRBehttuMoRAu2KAKDCWdH1z3RuZ4stX0PeQY5ely3KiQCfaR8b y4pY794d1xgNW6P1tsIdqtk= =a/SO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
On 7/7/06, Mike Duncan <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE-And the debate continues... I think its a closed an issue.. google was quick to react on this round http://www.threadwatch.org/node/7266#comment-41639 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin O'Neal wrote: > > I personally also believe in full disclosure, but it has to be delivered > in a responsible fashion. Dispatching vulnerabilities to a public list > without even attempting to contact the vendor is clearly not in the best > interest of the vendors nor the great majority of the user base. Actually, I think this is the point the author was trying to make. We should not be thinking about the interests of a company who has ignored issues in the past. The "great majority of the user base" will listen to the company -- not us -- anyways. They are not on this list(s) and thus will not see what we see. We are not making the Google website better here, rather we are trying to alert people of a possible issue with the website that they should be aware of and learn from this issue. The author did the right thing here by posting examples in the past of Google ignoring possible issues with their website. I think the author actually went above and beyond the "requirements" of the list(s) and its reader base as well. And the debate continues... Mike Duncan [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFErnK1OSRBehttuMoRAu2KAKDCWdH1z3RuZ4stX0PeQY5ely3KiQCfaR8b y4pY794d1xgNW6P1tsIdqtk= =a/SO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
On 7/6/06, Martin O'Neal <[EMAIL PROTECTED]> wrote: > my opinion is that full disclosure is not for vendors .. > it's for users. full disclosure is for us to know how to > react on certain threads. Which is just fine if you are technically competent to understand the threat, and there is also a valid mitigating strategy you can employ immediately. For the vast majority of situations though, this just isn't the case. The users are not technically competent enough to understand the true threat posed by an entry on a news group (which are generally hopelessly incomplete and/or factually inaccurate) and then this is coupled with a vulnerable product that may be essential, difficult to protect, and a stable official fix that may be weeks or months away from delivery. I personally also believe in full disclosure, but it has to be delivered in a responsible fashion. Dispatching vulnerabilities to a public list without even attempting to contact the vendor is clearly not in the best interest of the vendors nor the great majority of the user base. Martin... Theres more complexed issues to take into consideration which are hiding under the surface. While I respect you folks are thinking on a professiona, responsible and politcally correct notin, its not always as clear cut as that. Folks like "nsnake" a lot of the time don't give a crap about the vedor or the knock on effect their disclosure might have, a lot of the time a disclosure is attention driven. Also, theres cases where the user has already contacted the vendor and has been given bad treatment in the eyes of the researcher. This is when a user might go onto a list to try and scare a vendor back into talks with the researcher, by showing the vendor you're more than willing to spill all to the public. Finally, I wouldn't go judging folks and their competence, because you cannot tell straight off what a user knows from reading their advisory. It is easy for folks to use a nickname and carefully craft a bad advisory presentation and give inaccurate information with the disclosure. Remember, the researcher hasn't always got your best interests at heart, nor the interest to prove a level of competence to an open audience. The days of trying to be elite infront of folks is fading, thats the old scene. The new scene is money, and self agenda driven, than proving yourself to the vendor or wider security community. Sure, nsnake could very well be a dumb ass, but i wouldn't straight away jump to conclusions. Generally, anyone who has found this list and is reading it, has a default level of competence, more than a lot of professionals realise. You the professional, just take for granted that you are the expert, and the people throwing you advisories are dumbasses, unless they meet your criteria of what you expect someone who knows what they're talking about should look like. Its not always clear cut, and you don't know the background a lot of the time why the advisory has been released, who originally found the vulnerability, off list arguments between members of the security community or (and) the vendor. Don't expect people to be on your side, and be civil towards you, even if the person is more than capable of being such in a real life environment. Take what you are given by researchers and don't bite the hand that feeds you. Once you bite the hand, its unlikely he'll be able to throw you more information, if he hasn't got his hand anymore. Either that, or he just won't want to give you more information, if SCR (security community relations) have been dashed by a select few on a mailing list who decided to determine and infulence his/hers style of disclosure and what, if any technical knowledge that researcher has, purely on your correspondance between the researcher and professional. Remember, sometimes, the researcher doesn't want to play along with your technical discussion, and would rather confuse or conceal the true skill set of the researcher to the enemy. (Yes a lot of the time, in the mind of the researcher you are known as the enemy, and he doesn't give a rats ass what you think)... Thanks, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
On 7/6/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:> > You can try so [EMAIL PROTECTED] , they should answer very fast at this> address... They respond, but I wouldn't go as far to say "very fast". You're better having an inside contact, with a private e-mail address, then you really do get a "very fast" response. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
You can try so [EMAIL PROTECTED] , they should answer very fast at this address... Martin O'Neal wrote: my opinion is that full disclosure is not for vendors .. it's for users. full disclosure is for us to know how to react on certain threads. Which is just fine if you are technically competent to understand the threat, and there is also a valid mitigating strategy you can employ immediately. For the vast majority of situations though, this just isn't the case. The users are not technically competent enough to understand the true threat posed by an entry on a news group (which are generally hopelessly incomplete and/or factually inaccurate) and then this is coupled with a vulnerable product that may be essential, difficult to protect, and a stable official fix that may be weeks or months away from delivery. I personally also believe in full disclosure, but it has to be delivered in a responsible fashion. Dispatching vulnerabilities to a public list without even attempting to contact the vendor is clearly not in the best interest of the vendors nor the great majority of the user base. Martin... -- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. -- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. -- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ NOD32 1.1646 (20060706) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com begin:vcard fn:Arnaud Dovi / Ind. Security Researcher n:Dovi;Arnaud email;internet:[EMAIL PROTECTED] tel;work:Independent Security Researcher version:2.1 end:vcard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
> my opinion is that full disclosure is not for vendors .. > it's for users. full disclosure is for us to know how to > react on certain threads. Which is just fine if you are technically competent to understand the threat, and there is also a valid mitigating strategy you can employ immediately. For the vast majority of situations though, this just isn't the case. The users are not technically competent enough to understand the true threat posed by an entry on a news group (which are generally hopelessly incomplete and/or factually inaccurate) and then this is coupled with a vulnerable product that may be essential, difficult to protect, and a stable official fix that may be weeks or months away from delivery. I personally also believe in full disclosure, but it has to be delivered in a responsible fashion. Dispatching vulnerabilities to a public list without even attempting to contact the vendor is clearly not in the best interest of the vendors nor the great majority of the user base. Martin... -- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. -- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. -- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
RSnake wrote: > > Just for the record, I should clarify. Google was not notified of this > exploit prior to full disclosure. As I said, they are notoriously slow > (or completely delinquent) in fixing these issues historically. If you > need proof click here to see four redirect issues disclosed nearly 6 > months ago that are still not fixed. > > http://seclists.org/lists/webappsec/2006/Jan-Mar/0066.html > > Here's another one: > > http://www.google.com/url?sa=D&q=http://www.fthe.net > > Typically I don't believe in full disclosure as a release methodology > (for instance, if I found a remote vulnerability in Microsoft, I > wouldn't disclose that without giving Microsoft months to release a > patch as they have taken their patching process very seriously as of > late and their responsibility in this matter has been far improved). > Either Google was not convinced when they were used as a phishing relay > last time, or they do not take this seriously. Either way, it takes all > but a few days to patch these issues in a website, QA them and releast > them, and Google has not done so, making contacting the vendor a useless > excersize to date, in my opinion. > my opinion is that full disclosure is not for vendors .. it's for users. full disclosure is for us to know how to react on certain threads. i personally don't care about the vendors , although my company is a vendor itself . we also produce software and we also care about security of our software. but i expect users to post to security groups instead of mailing me personally. If the vendor cares about his users he should watch the security groups. I believe in FULL disclosure And i think this is the better way. -- Javor Ninov aka DrFrancky securitydot.net > On Wed, 5 Jul 2006, [EMAIL PROTECTED] wrote: > >> Did you even bother to email them and let them know? Being that >> they're still vulnerable probably not >> >> - z >> >>> >>> >>> Google is vulnerable to cross site scripting attacks. I found a >>> function built off their add RSS feed function that returns HTML if a >>> valid feed is found. It is intended as an AJAXy (dynamic JavaScript >>> anyway) call from an inline function and the page is intended to do >>> sanitation of the function. However, that's too late, and it returns >>> the HTML as a query string, that is rendered, regardless of the fact >>> that it is simply a JavaScript snippet. >>> >>> Here is the post that explains the whole thing: >>> >>> http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/ >>> >>> >>> >>> -RSnake >>> http://ha.ckers.org/ >>> http://ha.ckers.org/xss.html >>> http://ha.ckers.org/blog/feed/ >>> >>> >>> >>> The Web Security Mailing List: >>> http://www.webappsec.org/lists/websecurity/ >>> >>> The Web Security Mailing List Archives: >>> http://www.webappsec.org/lists/websecurity/archive/ >>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed] >>> >> >> >> - >> Sponsored by: Watchfire >> >> Securing a web application goes far beyond testing the application using >> manual processes, or by using automated systems and tools. Watchfire's >> "Web Application Security: Automated Scanning or Manual Penetration >> Testing?" whitepaper examines a few vulnerability detection methods - >> specifically comparing and contrasting manual penetration testing with >> automated scanning tools. Download it today! >> >> https://www.watchfire.com/securearea/whitepapers.aspx?id=70150008Vmm >> -- >> >> > > > -R > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
This one is a bogus... On 7/5/06, RSnake <[EMAIL PROTECTED]> wrote: Here's another one: http://www.google.com/url?sa=D&q=http://www.fthe.net Wrong! That redirection URL is doing exactly what its ment to do. The system is used when you post a URL on a Google Groups description for example. There is no exploit there, and it won't be fixed by Google, because theres nothing to fix. Try it for yourself. Create yourself a Google Group and put in a URL in the group description, and you will see your URL has been added to the end of www.google.com/url Likewise on Yahoo, Yahoo have rd.yahoo.com for exactly the same reason, to keep track of URLs posted by the public on their web applications. Google and Yahoo use the system, so they can store URLs on a database, where they have full control of URLs post by the public. Google and Yahoo are sick of people mentioning their URL redirection system on security lists. The system was designed to do what you're showing in your example, by default. Is designed for the only purpose you're showing everyone right now. There is no threat beyond what the design specification of the URL redirection web address is supposed to do. Please go away and only post _real_ disclosures for Google and Yahoo in future. n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/