SecurityvulnsSECURITYVULNS:DOC:20605Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities
Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities
I. Background:
Google Docs is an online application which makes possibile to "Create and share your work online".
You can use it to
create Documents, Presentations, Spreadsheets and Forms.
II. Description:
Multiple cross site scripting vulnerabilities were identified in Google Docs. A remote attacker could
write a malformed
document and invite, through Google Docs sharing option, other users to see it in order to obtain
their cookies. It's also possible
to public this malformed document and send its link around the web.
III. Details:
Google Docs makes possible to create a new document. When a user creates a new document he has the
possibility to
change its html code through the Edit Html option. An attacker can make a malformed document using
decimal HTML entities (without semicolons) and hexadecimal entities (with semicolons) to bypass
antixss filters.
Example:
<IMG SRC="javascript
:alert('test');"> (decimal HTML entity)
<IMG SRC="javascript
:alert('test');"> (hexadecimal HTML entity)
Please note: IMG tag isn't the only affected, it's just an example.
The attacker then will save his job and can share this document with someone else or send the
document link to the victim to obtain his cookie.
IV. Vendor Response:
Google has been informed and has deployed a fix for these vulnerabilities.
V. Disclosure timeline:
23/08/08 - Vulnerabilities discovered
25/08/08 - Google informed
25/08/08 - Automatic reply from Google received
24/09/08 - Ask Google for updates
25/09/09 - Google fixed all vulnerabilities submitted
Regards
Alfredo Melloni