Google Blogoscoped

Forum

Google Gears Installation Website Vulnerable To Content Insertion

John Quntaero [PersonRank 1]

Thursday, June 7, 2007
13 years ago3,708 views

Google Gears Installation website is vulnerable to content insertion via url parameter:

gears.google.com/?action=insta ... your funny message here

here's one example,
gears.google.com/?action=insta ...!

Here's another fun one that breaks the scientology copyrights (it's text from the new era dianetics for operating thetans):

gears.google.com/?action=insta ...

Ken Wong [PersonRank 5]

13 years ago #

Great find!

Suresh S [PersonRank 10]

13 years ago #

Cool! can we insert javascript DOM element

Suresh S [PersonRank 10]

13 years ago #

Try this

gears.google.com/?action=insta ...

var regex = new RegExp('[\?&]' + name + '=([^&#]*)');
var results = regex.exec(window.location.href);
return results && decodeURIComponent(results[1]);

Philipp Lenssen [PersonRank 10]

13 years ago #

Neat! gears.google.com/?action=insta ...


blogoscoped.com/files/google-g ...



> var regex = new RegEx...

Suresh, HTML seems to be filtered, no?

Suresh S [PersonRank 10]

13 years ago #

Suresh, HTML seems to be filtered, no?

<font size="-1">
   <p><span id="app_message"></span></p>

i tried to insert javascript , HTML tag it doesnt render as html tag.

function putParamText(nodeId, paramName) {
var text = getQueryParam(paramName);
   if (text) {
   if (text.length > 150) {
   text = text.substring(0, 150)
   }
   var node = document.getElementById(nodeId);
   if (node) {
   node.innerText = node.textContent = text;
   }
}
}
putParamText('app_message','message');

innerText ? instead of innerHTML

John Quntaero [PersonRank 1]

13 years ago #

I wonder if the number of indexed urls (5) will go up soon?

google.com/search?q=site:gears ...

Anonymous [PersonRank 0]

13 years ago #

code.google.com/apis/gears/des ...

"Use the URL in the code above to access the Google Gears installation page. Substitute your customized message and your URL in the parameters."

"message: Provide any text up to 150 characters. This message appears at the top of the installation page. For example: "Install Google Gears to enable MyGreatApp's offline features!""

Suresh S [PersonRank 10]

13 years ago #

yes i have seen that already. the question was why HTML was not rendered.

Ionut Alex. Chitu [PersonRank 10]

13 years ago #

<< Provide any TEXT up to 150 characters. This message appears at the top of the installation page. >>

TOMHTML [PersonRank 10]

13 years ago #

I hope googlebot will index it. It would be fun.

Philipp Lenssen [PersonRank 10]

13 years ago #

> the question was why HTML was not rendered.

Rendering HTML could compromise the page (HTML injection – Google has a whitelist of tags with which thea clean HTML, but this might still allow you to leave e.g. <b> tag open, rendering the whole page in bold). And rendering JS would even compromise the Google cookie.

> I hope googlebot will index it.

Hmm... I can't see any meta-directive excluding robots in the page itself, and as there's no robots.txt file at this time (gears.google.com/robots.txt)... I guess it can be indexed, as it's linked from other places (like this forum). This search doesn't yet return results though:
google.com/search?hl=en&q= ...

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!