Google Urchin password theft madness

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure-bounces@xxxxxxxxxxxxxxxxx
Subject: Google Urchin password theft madness
From: pagvac <unknown.pentester@xxxxxxxxx>
Date: Mon, 24 Sep 2007 19:20:17 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:x-enigmail-version:content-type:content-transfer-encoding; bh=xrOlQr+p6iV0MMgozr4sgeA0fDgwzvRMWTuJRoDDif8=; b=D2OqTMlDqE4OS7d2AtasZF0pu6cv6chHR6eUBwbDXs5Jt54KSU+HnRnZBSiw02kE4Xaum/U3FU1PLe3Xsvw5kjIQTKd8sSoCKc/Se6VrNdRwqNOtKS5VPtmv5ruf/YrGPCpF+m992SbpK9lJq3x3fBILarHoYeuZUFxoNi4mzfs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:x-enigmail-version:content-type:content-transfer-encoding; b=kJqj4LNMlR8Wz+xE4ckAAxGYeLULPjAZmViyylHDOmCz+1GUrQWs8wypU84x2OveqcEBFn6wuiSHWwl9h6hfHb0S5kQqGuZ8FiLD/ljo1TIpB7U+as6Gm4LkrZURIodD60AdV052k6rBuHG49Wubwu8m/g/cxrnVSwpRTEO5KW8=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5 (Windows/20051201)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is a trivially exploitable XSS vul on Google Urchin Web Analytics
5's login page. The vulnerability has been tested on versions 5.6.00r2,
v5.7.01, 5.7.02 and 5.7.03 (latest). Previous versions are most likely
to be affected as well.

I know that you're sick of XSS PoCs that only open alert boxes. So I
crafted a exploit URL that will steal the victim's username and password
by simply clicking on it:

http://www.gnucitizen.org/blog/google-urchin-password-theft-madness

PS: demo video included!

- --
pagvac
[http://gnucitizen.org, http://ikwt.com/]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFG9//fjXB4hX6OC/cRAnchAJ4k9U4i8ZW1Cf8CjbNuivYlCHqjCQCeIVyj
oZ2fz06792VVGEkfpPwjCMs=
=Uz1y
-----END PGP SIGNATURE-----

Prev by Date: Arbitrary Command Inclusion
Next by Date: Re: New bypass shell for linux
Previous by thread: Arbitrary Command Inclusion
Next by thread: rPSA-2007-0198-1 kernel
Index(es):
- Date
- Thread