POC: http://beford.org/stuff/live.htm

Y otra cosa interesante que encontre, es algo en la interface movil de google, en la seccion para configurar el idioma, el parametro continue, recibe la ruta donde se encontraba el usuario, para poder retornarlo alli una vez seleccione el idioma. Aparentemente no estan haciendo una concatenacion de 'm.google.com/' + continue sino de 'm.google.com' + continue. Pasandole a continue un valor de '.otrodominio.com' hariamos que todos los enlaces apunten a un sitio externo fuera de google.

POC: http://m.google.com/languages/?dc=gorganic&continue=.beford.org

La Universidad Minuto de Dios ha organizado un Congreso de Hacking Etico en la ciudad de Bogota, esta planeado para el Sabado 17 de Mayo, pueden ver toda la informacion sobre la conferencia en http://congresohacking.com/ (al parecer algun inteligente lo reporto a Google como sitio de ataque, http://hacking.uniminuto.edu/). El precio de entrada es bastante accesible, la modica suma de 60.000 COP (33 USD) para los estudiantes universitarios, y 100.000 COP para los profesionales, asi que probablemente estare por alla, y si alguien quiera patrocinarme mejor! Tambien aparentemente habra un 'reto' hacking, sin saber que tipo de reto seran no me arriesgaria a inscribirme, dudo que sea algun concurso al estilo pwn2own, especialmente que los premios sean asi . Aca pueden ver el programa de las conferencias. Al parecer muchos miembros de la comunidad de DragonJar estaran por alla.

Google Slideshows no esta filtrando los hipervinculos de las presentaciones cuyo destino es una URI javascript:, con solo crear un simple enlace, colocarle como destino javascript:alert(1) e insertarlo en la presentacion, es posible ejecutar javascript en el contexto de mail.google.com. Para los que quieran verlo en funcionamiento he preparado un sencillo poc que envia las cookies a un sitio remoto (que no existe), tendrian que enviarse este archivo por correo, y luego verlo en modo de Presentacion desde Gmail.

Aqui es donde entra el detalle, estos enlaces son creados como objetos tipo flash, y son llamados para abrirse en una ventana nueva, mediante el parametro '_blank'. Aparentemente cada navegador maneja de manera distinta y son los culpables de este problema. Por ejemplo con este archivo, al clickear el recuadro que enlaza a javascript:alert(document.domain), Firefox, aunque abre una nueva ventana con el contexto about:blank, internamente no actualiza el contexto de ejecucion por completo y es posible acceder a ciertos objetos del DOM (document.cookie, document.domain) pero no a otros (XMLHttpRequest). Opera por otra parte, crea la nueva ventana, pero al ejecutar la javascript uri, lo realiza en la misma ventana donde se origino el evento, comprometiendo completamente el contexto del sitio que hostea el objeto flash. En versiones anteriores de IE, el comportamiento era, abrir una nueva ventana, y el javascript se ejecutaba correctamente como about:blank, pero en las mas recientes, aparece una nueva ventana, y se cierra instantaneamente, sin poder saber que ocurre. En safari el comportamiento es distinto, el navegador aparentemente intenta cargar una pelicula al clickear el recuadro, y queda vacio, pero no ejecuta el javascript.

Actualización: HaDeS preparo y publico un pequeño video en youtube demostrando la falla, y Google ha deshabilitado temporalmente esta caracteristica mientras solucionan el problema.

Text2SQLChar Converts an string into a CHAR() mysql, usefull when magic_quotes is on.
SQLIncrement Increments automatically the number of columns of the injected select query.
SQLDecrement Decrements automatically the number of columns of the injected select query.
Increment Allows you to navigate up html files or images that have a number in them.
Decrement Allows you to navigate down html files or images that have a number in them.
base64 Firefox only, base64 with no padding

I wrote the first 3 of them, I'm not javascript god, so they need to get improved, I'll try to make them shorter, and follow a couple of suggestion from bookmarklets.com. The two others come from RSnake' bookmarklet collection, where I fixed a detail, it was not decoding the URL before using it, so if the url contained an escaped value at the end of the url like %20, it would modify it and change it to %21. I'll keep this post updated whenever I find or write a new security-related bookmarklet. As another issue, I noticed that the site looks ugly on low resolution systems, so I'll try to get a new theme to fix that on a couple of days and update the wordpress version.

Update: Let's make that, Firefox 2.0.0.11, which also fixes some regressions.

www.google.com/ig/adde?moduleurl=http://beford.org/stuff/ig.xml

I've just notified Google about this, to avoid been a target of this flaw you can switch to Mozilla Firefox (+Noscript), or upgrade to IE7, which is not an option for Windows 2000 users.

Update: According to a friend, Rafael, Opera users are vulnerable aswell, he sent me an screenshot which you can see here: Opera Google XSS.

Update 2: Google fixed this on 27 November.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc's, I figured out that sites with open redirect issues are vulnerable too. I've created this poc that attacks Gmail, it's based on my previous post and it will only show your contacts list, it's not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

http://beford.org/stuff/jarjarbinks.htm

Who's fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.

What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.

The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The 'font' parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE's expression() and Mozilla's -moz-binding. They fixed it, however they didn't check enough the rest of the code, the new XSS is:

Simple XSS POC

Since its Sunday and there is nothing else to do, I've created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.

POC1: http://beford.org/stuff/contacts.htm
POC2: http://beford.org/stuff/gmail.htm

I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I'd highly recommend Firefox + NoScript.

Update: Google fixed this issue, I'd like to ask the people that looked at the second poc to disable forwarding if you have not done so, I'm still getting ton of email. This screenshot shows how to disable forwarding.