Widespread XSS for Google Search Appliance
So i fell asleep last night and didn't finish the encoding script as i assumed i would. But finally finished (pain in the ass to write btw) The topic is plenty descriptive - it's an XSS in most sites...
View ArticleRe: Widespread XSS for Google Search Appliance
Awesome, simply awesome. QuoteOne problem though: any site with embedded script like for(i=0;i<10;i++) gets changed to for(i=0;i<10;i ) .. which is an infinite loop. you'll have to overwrite that...
View ArticleRe: Widespread XSS for Google Search Appliance
because of how UTF7 encoding works.. any special characters - i.e. not a-z A-Z 0-9 or ' ( ) , - . / : ? .. get encoded. And the format has the start character of + and optional end character of -. like...
View ArticleRe: Widespread XSS for Google Search Appliance
*Bows to maluc* You my friend are one smart cookie ;) Me on the other hand ... not so much. My first try I added oe=UTF-7 as said ... but never noticed oe=UTF-8 in front :( head down in shame It...
View ArticleRe: Widespread XSS for Google Search Appliance
ya, it froze ie7 once or twice for me as well.. theres alot of ways to freeze a browser with javascript if you intentionally wanna - especially IE. and while i always appreciate people paying homage to...
View ArticleRe: Widespread XSS for Google Search Appliance
Though, excellent find! whish i had more time on my hands to look at it more closely.
View ArticleRe: Widespread XSS for Google Search Appliance
Over the last few hours alone 11 Google employees have read the article, Maluc: 65.57.245.11 - - "GET /blog/20061118/widespread-xss-for-google-search-appliance/ HTTP/1.0" 200 8080 "-" "Mozilla/5.0...
View ArticleRe: Widespread XSS for Google Search Appliance
wow, probably got put on some google memo.. i'm interested to see how quickly they can patch atleast the majority of their clients that's good to know christpuncher.. never was a fan of sloppy seconds...
View ArticleRe: Widespread XSS for Google Search Appliance
http://news.zdnet.com/2102-1009_22-6138744.html We weren't mentioned in the article, however Google has issued a patch in their next version. Until everyone patches up, holes abound.
View ArticleRe: Widespread XSS for Google Search Appliance
http://news.com.com/2100-1002_3-6138744.html?part=rss&tag=2547-1_3-0-20&subj=news Again, we weren't mentioned here. But I like the moral of the story. Google introduces holes into your machines...
View ArticleRe: Widespread XSS for Google Search Appliance
lol, i like how nist links to a random mortgage agent http://ha.ckers.com -maluc
View ArticleRe: Widespread XSS for Google Search Appliance
Next time I'm in vegas I should call DARIN FERRARO, set up an appointment to see a home and politely ask for the ckers.com domain...
View ArticleRe: Widespread XSS for Google Search Appliance
lol, you should.. would be a probably inexpensive way to get it it's not like "ckers" is related in any way to his business or name -maluc
View ArticleRe: Widespread XSS for Google Search Appliance
I did pm some with this but they haven't replied and its been enough time. perhaps you might have better luck then i have it getting it to fire....
View ArticleRe: Widespread XSS for Google Search Appliance
as i said in the first post.. google.com is not affected because they sanitize all input in UTF-8 (whereas their Search Appliance product sanitizes it in the output encoding of choice) so if your input...
View ArticleRe: Widespread XSS for Google Search Appliance
hmmm, I follow with what you are saying, but somewhere something got changed. When i compare the results from last week to this week using the same links i can confidently say that they have changed...
View ArticleRe: Widespread XSS for Google Search Appliance
Maluc, is there a way to circumvent this in "normal" sites? i can image by just tamper the header to read UTF-7 instead of UTF-8. Or is this idea too wild? i'm not completely absored by your UTF-7...
View Article
