Issue metadata
Sign in to add a comment
|
Unrestricted File upload to XSS on google
Reported by
shaon.du...@gmail.com,
Jul 18 2017
|
||||||||||||||||||
Issue descriptionHi Google Security Team, Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker. a white hat cyber security researcher from Bangladesh reporting a serious [3'rd ranking in OWASP] security vulnerability on your system. I faced a technical security bug called "Unrestricted File upload to XSS on googlegroups.com". Now I exploited it. If you verify more, so you can see my video poc that was unlisted my youtube channel. Let's follow me, 1. I already Open my Account. 2. go to: Any google topic at forum: https://productforums.google.com/forum/ Now Making a reply and also upload a html file. 3. Now Upload file as my wish. 4. Just click on test.html file from reply. 5. Now as your see, I upload a .html file for XSS. 6. I am trying it on firefox privecy mood. As you see, Here also popup with the script. ** Note: An attacker can stole user token using this issue. POC: 1. (XSS Page): https://08562868187480532102.googlegroups.com/attach/6811a1d3ea565/test.html?part=0.1&view=1&vt=ANaJVrHNWm-9DA8-IFY4FgjoeMvStRSQAzMWwTc6F_e-QadwDqWOBmpBiSCS0ttuZwuIQL1fwNrj14s3Jh6MkTznF8QgAi87SBpGt9vGczbykvkgiTpy1tg Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue. Resolve those issue as soon as possible. Here is proof as video concept (unlisted): ttps://youtu.be/2ZzLUo8cDac Thank you Shaifullah Shaon (Black_EyE) shaon.durjoy@gmail.com
,
Jul 18 2017
From https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain XSS in sandbox domains Google uses a range of sandbox domains to safely host various types of user-generated content. Many of these sandboxes are specifically meant to isolate user-uploaded HTML, JavaScript, or Flash applets and make sure that they can't access any user data. For this reason, we recommend using alert(document.domain) instead of alert(1) as your default XSS payload. In particular, if you see script execution in any subdomains of the domains in this list: ad.doubleclick.net googleusercontent.com googlecode.com codespot.com feeds.feedburner.com googleadservices.com googledrive.com googlegroups.com <------------------------------------ {your-blog-name}.blogspot.com {your-app-name}.appspot.com firebasestorage.googleapis.com storage.googleapis.com ...your report will probably not qualify, unless you can come up with an attack scenario where the injected code could gain access to sensitive user data.
,
Oct 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 25 2017
can you please tell me can I expect something or not for this issue ? |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jul 18 2017