Vendor: Google

Service: Groups

Issue: XSS in pending message page

Description: The http://groups.google.com/group/n3td3v/pendmsg page is
vulnerable from cross-site-scripting attack. This allows a malicious
user to take the owner or moderator cookie from the user. This can
then be used to access a groups administrative controls.

Scenario: If a group is moderating messages before allowing a post, a
malicious user can send a message to the vulnerable pendmsg page.

If a group is unmoderated, but Google's anti-spam technology suspects
a message is from a known spammer or phisher, the message goes to the
pendmsg page. A malicious spammer or phisher can send a message to the
vulnerable pendmsg page.

Reproduction: Setup a test group and send a carefully crafted script
to the pendmsg page.

Proof of concept: <a class=newlink
href="http://www.google.com/url?sa=D&q=http://www.google.com?<script>alert(document.cookie)</script>">

Remarks: This is my second Google disclosure in under a year. That
makes two vulnerabilities for Google I have discovered. Can I make it
a third? Maybe you can come back next year to find out. ;-)

First disclosure: December 18th 2004
Second disclosure: December 3rd 2005

Credit: n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/