#################################################### Google AdSense invite-friend multiple field XSS vendor url:https://www.google.com/adsense/ advisore: http://lostmon.blogspot.com/2005/05/ google-adsense-invite-friend-multiple.html vendor notify : yes exploit available:yes ##################################################### Google AdSense is a fast and easy way for website publishers of all sizes to display relevant Google ads on their website's content pages and earn money Google AdSense contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate properly ' Your friend's name',' Your name' ,'Your email address' and 'Add a personal message' fields upon submission to the 'previewInvitation()' Function in '/adsense/invite-friend' scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity. ############# tieline: ############# discovered: 1 may 2005 vendor notified: 2 may 2005 vendor response: 2 may 2005 ( autoresponder) vendor response: fix: not fixed !!!! disclosure: 5 may 2005 ################### software used ################## windows 2000 sp4 all fixes ie 6.0 all fixes google toolbar 2.0.114.9 big/es Netcraft toolbar 1.4.1 ################# proof of concept: ################# Image Example :http://usuarios.lycos.es/reyfuss/xss/images/google3.gif Go to this address https://www.google.com/adsense/invite-friend ans insert in fields listed for example: ">