shut, the, fuck, up, yellow, bus, rider.
smooches!
On 12/4/05, n3td3v [EMAIL PROTECTED] wrote:
[drama]
[idiot in the wild wild]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
[drama]
[wild imagination]
***Millions of e-mail addresses exposed to hackers***
*Hacker gets access to every group, made easier by his/her worm script
(likely a hacker would do this)
*Hacker harvests all e-mail addresses exposed and sells to spammer
(likely a hacker would do this)
*Hacker
XSS is 'starting' to get fairly useful.
Absolutely, I agree. But in this specifc case, its not all that useful.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Absolutely, I agree. But in this specifc case, its not all that useful.
Please, for the love of god, do not get him riled up again. Can we all just
say N3td3v, thanks for the info. Wow, it must have been an exhaustive
search to find that needle in a haystack. I'm sure Google appreciates your
So how about a real world attack scenario for this. This is one of
the lamest vulns I have ever seen.
Remarks: This is my second Google disclosure in under a year. That
makes two vulnerabilities for Google I have discovered.
Oh great, more useless XSS vulns. Sigh... perhaps one day you
The capabilities of a XSS flaw are endless. You know what you're
talking about, right? Maybe not. ;-)
On 12/3/05, InfoSecBOFH [EMAIL PROTECTED] wrote:
So how about a real world attack scenario for this. This is one of
the lamest vulns I have ever seen.
Oh great, more useless XSS vulns.
So how about a real world attack scenario for this. This is one of
the lamest vulns I have ever seen.
Until about a year ago, I'd have to agree with you. A lot of uses for XSS have
been researched in the last year
including a few new ways to use it make it 'useful'. Not only can you do
Vendor: Google
Service: Groups
Issue: XSS in pending message page
Description: The http://groups.google.com/group/n3td3v/pendmsg page is
vulnerable from cross-site-scripting attack. This allows a malicious
user to take the owner or moderator cookie from the user. This can
then be used to access
Proof of concept: a class=newlink
href=http://www.google.com/url?sa=Dq=http://www.google.com?
scriptalert(document.cookie)/script
Remarks: This is my second Google disclosure in under a year. That
makes two vulnerabilities for Google I have discovered.
Credit: n3td3v
wall ... bad...
