Webmaster Forum

Go Back   Webmaster Forum > Marketing Forums > Google Forum

Google Forum Discuss Google related issues.


Reply
 
LinkBack Thread Tools Display Modes
Share |
  #1 (permalink)  
Old 09-20-2004, 03:51 PM
imaginemn's Avatar
v7n Mentor
Latest Blog:
None

 
Join Date: 02-18-04
Location: Brownsville, Texas
Posts: 1,354
iTrader: 0 / 0%
Google Toolbar About.HTML HTML Injection Vulnerability

Exploit

Google Toolbar is reported prone to a HTML injection vulnerability. It is reported that the Google Toolbar 'ABOUT.HTML' page allows the injection of HTML and JavaScript code.

This vulnerability may allow an attacker to inject malicious HTML and script code into the about page of the vulnerable application.

Solution

Currently we are not aware of any vendor-supplied patches for this issue.

The following proof of concept is available:

<script>window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dll/ABOUT.HTML", "<div style=\"background-image: url(javascript:alert(location.href));\">");</script>

imaginemn
 
Reply With Quote

Advertisement

Advertisement

  #2 (permalink)  
Old 09-21-2004, 02:29 AM
I, Brian's Avatar
Senior Member
Latest Blog:
None

 
Join Date: 10-26-03
Posts: 1,911
iTrader: 0 / 0%
I was just wondering this morning if there were any security issues with the toolbar.

Is this sepcific to the toolbar itself, or the browser using the toolbar (ie, IE)?

Also - do you have a confirmed source for this? I'm talking about Symantec et al.
 
Reply With Quote
  #3 (permalink)  
Old 09-21-2004, 07:38 AM
imaginemn's Avatar
v7n Mentor
Latest Blog:
None

 
Join Date: 02-18-04
Location: Brownsville, Texas
Posts: 1,354
iTrader: 0 / 0%
It's with the toolbar itself. If you copy the code and save it as an html file then open the html file you will see the vulnerability. I did not discover this flaw. Since this is a newly discovered issue I am not sure the full extent of the damage that could be caused. The code provided will only do a javascript alert window to prove concept. It affects Google Toolbar 1.1.41 through Google Toolbar 2.0.114 .1 versions.

This is an issue that was recently discovered on September 17 and being discussed at a corporate security briefing I was attending due to some security alerts I received.

I meant to post some links that confirms this.

http://www.securityfocus.com/bid/11210
http://www.securitytracker.com/alert...p/1011351.html

imaginemn
 
Reply With Quote
  #4 (permalink)  
Old 09-21-2004, 08:14 AM
I, Brian's Avatar
Senior Member
Latest Blog:
None

 
Join Date: 10-26-03
Posts: 1,911
iTrader: 0 / 0%
thanks for the confirmation - much appreciated.
 
Reply With Quote
  #5 (permalink)  
Old 09-21-2004, 10:38 AM
samer's Avatar
Contributing Member
Latest Blog:
None

 
Join Date: 10-13-03
Posts: 1,961
iTrader: 0 / 0%
I tested it .. it didn't work .. my firewall is blocking malcious scripts ! (well, I think so )
 
Reply With Quote
  #6 (permalink)  
Old 09-21-2004, 12:06 PM
imaginemn's Avatar
v7n Mentor
Latest Blog:
None

 
Join Date: 02-18-04
Location: Brownsville, Texas
Posts: 1,354
iTrader: 0 / 0%
What version of the toolbar are you using? This is what I get using version 2.0.113.

I'm glad it's not all versions.

imaginemn
Attached Thumbnails
Google Toolbar About.HTML HTML Injection Vulnerability-google.jpg  
 
Reply With Quote
Go Back   Webmaster Forum > Marketing Forums > Google Forum

Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HTML naming, breaking any rules in google? ---Genetic--- Google Forum 5 10-08-2007 10:50 PM
HTML: 2 simple html codes. mybluehair Coding Forum 6 04-20-2007 12:59 PM
HTML: What if html tidy messes with the page layout ? Linda in NY Coding Forum 63 04-18-2007 09:54 AM
Learning HTML & HTML Editors Kalina Marketing Forum 13 03-03-2006 10:57 AM
Is there a scipt adding new html to existing html automatic? crazyhorse Coding Forum 6 07-29-2004 04:32 PM


V7N Network
Get exposure! V7N I Love Photography V7N SEO Blog V7N Directory


All times are GMT -7. The time now is 08:51 AM.
Powered by vBulletin
Copyright 2000-2014 Jelsoft Enterprises Limited.
Copyright © 2003 - 2014 Escalate Media




Search Engine Optimization by vBSEO 3.6.0 RC 2 ©2011, Crawlability, Inc.