Google Gears Installation Website Vulnerable To Content Insertion

Forum

Google Gears Installation Website Vulnerable To Content Insertion
John Quntaero	Thursday, June 7, 2007 1 year ago • 809 views
Google Gears Installation website is vulnerable to content insertion via url parameter: gears.google.com/?action=insta ... your funny message here here's one example, gears.google.com/?action=insta ...! Here's another fun one that breaks the scientology copyrights (it's text from the new era dianetics for operating thetans): gears.google.com/?action=insta ...
Ken Wong	1 year ago #
Great find!
Suresh S	1 year ago #
Cool! can we insert javascript DOM element
Suresh S	1 year ago #
Try this gears.google.com/?action=insta ... var regex = new RegExp('[\?&]' + name + '=([^&#]*)'); var results = regex.exec(window.location.href); return results && decodeURIComponent(results[1]);
Philipp Lenssen	1 year ago #
Neat! gears.google.com/?action=insta ... blogoscoped.com/files/google-g ... > var regex = new RegEx... Suresh, HTML seems to be filtered, no?
Suresh S	1 year ago #
Suresh, HTML seems to be filtered, no? <font size="-1"> <p><span id="app_message"></span></p> i tried to insert javascript , HTML tag it doesnt render as html tag. function putParamText(nodeId, paramName) { var text = getQueryParam(paramName); if (text) { if (text.length > 150) { text = text.substring(0, 150) } var node = document.getElementById(nodeId); if (node) { node.innerText = node.textContent = text; } } } putParamText('app_message','message'); innerText ? instead of innerHTML
John Quntaero	1 year ago #
I wonder if the number of indexed urls (5) will go up soon? google.com/search?q=site:gears ...
Anonymous	1 year ago #
code.google.com/apis/gears/des ... "Use the URL in the code above to access the Google Gears installation page. Substitute your customized message and your URL in the parameters." "message: Provide any text up to 150 characters. This message appears at the top of the installation page. For example: "Install Google Gears to enable MyGreatApp's offline features!""
Suresh S	1 year ago #
yes i have seen that already. the question was why HTML was not rendered.
Ionut Alex. Chitu	1 year ago #
<< Provide any TEXT up to 150 characters. This message appears at the top of the installation page. >>
TOMHTML	1 year ago #
I hope googlebot will index it. It would be fun.
Philipp Lenssen	1 year ago #
> the question was why HTML was not rendered. Rendering HTML could compromise the page (HTML injection – Google has a whitelist of tags with which thea clean HTML, but this might still allow you to leave e.g. <b> tag open, rendering the whole page in bold). And rendering JS would even compromise the Google cookie. > I hope googlebot will index it. Hmm... I can't see any meta-directive excluding robots in the page itself, and as there's no robots.txt file at this time (gears.google.com/robots.txt)... I guess it can be indexed, as it's linked from other places (like this forum). This search doesn't yet return results though: google.com/search?hl=en&q= ...
This thread is locked as it's old... but you can create a new thread in the forum.

Forum home

>> More posts

Blog | Forum more >> Archive | Feed | Google's blogs | About

Advertisement (advertise here?)

Find the right keywords for your campaigns at KeywordDiscovery.com

This site unofficially covers Google™ and more with some rights reserved. You can subscribe to the feed, email your tips and join our forum!