Security researchers from Detectify found latest vulnerability on Google and they are compromised the Google’s production servers.Google dorking for acquisitions and products to antique systems without any noticeable amount of users. One system caught our eyes. The Google Toolbar button gallery.
The root cause of XXE vulnerabilities are naive XML parsers that blindly interpret the DTD of the user supplied XML documents. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution.
If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms.
Another One:
What you see here is the /etc/passwd and the /etc/hosts of one of Google’s production servers. Our payloads served as a proof of concept to prove the impact.
They could just as well have tried to access any other file on their server, or moved on to SSRF exploitation in order to access internal systems.
They are contacted Google, After 20 minutes we got a reply from Thai on the Google Security Team. The worth of this vulnerability is $10.000
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment