tag:blogger.com,1999:blog-2408019601371601069.post1247267215737041957..comments2012-11-01T18:57:57.515-07:00Comments on intern0t: The Bug Which Isn't a BugMaXehttp://www.blogger.com/profile/15789470334534466087noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-2408019601371601069.post-28732849287662088592012-02-15T14:05:23.594-08:002012-02-15T14:05:23.594-08:00Nice one, and thanks. I'm not sure if they eve...Nice one, and thanks. I'm not sure if they ever will, as vBulletin probably still has the same issue with custom BBCode tags which I also addressed a couple of years ago, well, 2011 or 2010 it probably was.<br /><br />Google don't think it's a vulnerable to keep the developers in the dark about what's being encoded and what's not, and thereby allow developers to unknowingly develop insecure applications, there they thought input from user-data would've been sanitized as it should've been.<br /><br />The good thing about the variable that I mentioned, is that it's not often used in ways that Disqus used it, which I'm glad about, but it's a shame Google doesn't encode single-quotes for unknown reasons, and furthermore, the developers of Disqus was almost _not_ going to fix this the XSS in their plugin, because they misunderstood what Google said, as they thought that XSS isn't dangerous when blogspot.com and blogger.com are different domains, and will therefore not allow disclosure of session cookies. <br /><br />At least, so they say, but XSS should be fixed no matter what, unless it's intentional :-)MaXehttps://www.blogger.com/profile/15789470334534466087noreply@blogger.comtag:blogger.com,1999:blog-2408019601371601069.post-60842710090553587332012-02-15T08:05:33.482-08:002012-02-15T08:05:33.482-08:00Well, I just spent a while playing with this, its ...Well, I just spent a while playing with this, its pretty simple GET req XSS<br /><br />Example (RickRoll + XSS popup) is at http://tinyurl.com/723gp7x<br /><br />Nice job MaXe, maybe they will fix now?infodoxhttps://www.blogger.com/profile/08064108812126713980noreply@blogger.com