what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

google-reader.txt

google-reader.txt
Posted Apr 14, 2006
Authored by Debasis Mohanty | Site hackingspirits.com

Google reader is supposed to display only those contents which the user has subscribed to however two vulnerabilities has been identified which may allow an attacker to entice it's victim (using google reader service) to view unwanted web contents carrying malicious payloads.

tags | advisory, web, vulnerability
SHA-256 | 7b5cfc8166efe4aad445c202f3c534911b697134b00dbe62e5e065872e8c800a

google-reader.txt

Change Mirror Download
Sending it late as I missed to send this to bugtraq during the disclosure. 


Google Reader "preview" and "lens" script improper feed validation
===================================================================

I. DESCRIPTION

Google Reader (http://www.google.com/reader/) helps organise the contents of
those rss or atom feeds for which the user is interested in or subscribed
to. The user instead of continuously checking his/her favorite sites or
discussion groups for updates, (s)he can let Google Reader do it for them.
>>From news sites to your friends' blogs, Google Reader helps stay up-to-date
with all the online information that matters most to the user.


II. VULNERABILITY DETAILS

Google reader is supposed to display only those contents which the user has
subscribed to however two vulnerabilities has been identified which may
allow an attacker to entice it's victim (using google reader service) to
view unwanted web contents carrying malicious payloads.


a. Google reader "preview" script improper feed validation (without user
authentication)
----------------------------------------------------------------------------
------------
Google feed reader "preview" script: The script
(http://www.google.com/reader/preview/*/feed/) is normally used for
displaying the feed contents within the reader.

For example, the following request will display the rss content of the link
http://www.microsoft.com/athome/security/rss/rssfeed.aspx:

http://www.google.com/reader/preview/*/feed/http://www.microsoft.com/athome/
security/rss/rssfeed.aspx

Note: '*' in the above link can be replace with any word of your choice
otherwise it can be left as it is.

This 'preview' script is only available to authenticated user but if a
direct link is provided it doens't ask for user authentication. It can be
very usefull for an attacker to mount an attack on its victim by directing
them to view the content of malicious sites (carrying evil payloads).


b. Google reader "lens" script improper feed validation (with user
authentication)
----------------------------------------------------------------------------
------
Google feed reader "lens" script: The script
(http://www.google.com/reader/lens/feed/) is normally used for displaying
contents of only those feeds to which an authenticated user has subscribed
to.

However, it is possible to pass any rss / atom feed to the script as
parameter to which the user has not subscribed but the un-subscribed feed
contents can still be loaded within the user reader page.

For example, the following request will display the rss content of the link
http://www.securityfocus.com/rss/news.xml:
http://www.google.com/reader/lens/feed/http://www.securityfocus.com/rss/news
.xml

This 'lens' script is only available to authenticated user and can be
usefull for an attacker to mount an attack on its victim by directing them
to view the content of malicious sites (carrying evil payloads) even though
the user is not subscribed to.


III. VENDOR
Google.com



IV. HISTORY
30th Jan, 2006 - Bug originally discovered
2nd Feb, 2006 - Vendor Notified
...
...
No vendor response
...
...
22nd Feb, 2006 - Vendor Notified again
22nd Feb, 2006 - Public Disclosre


IV. CREDITS
Debasis Mohanty
www.hackingspirits.com


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close