Multiple persistent and reflected Cross-Site Scripting (XSS)
vulnerabilities were identified in Security Console (Admin Console), Message
Center Classic and Message Center II services of Google Message Security (powered by Postini).
When exploited, the
identified vulnerabilities could lead to Session Hijack, Information
Disclosure, force installation of malicious file or Trojan on users'
Security Console (Admin
- Persistent XSS: parameter setconf-neworg of /exec/admin_orgs
which is persistently stored as part of a sub-organization name (ORGS and USERS>Orgs>Add Sub-Org). Additionally, an effective DoS attack can be mounted against the
organization's administrators by injecting malicious code which prevents
the Web user interface to render properly.
- Reflected XSS: multiple
parameters of /exec/admin_list resource
- Reflected XSS: multiple parameters of /exec/admin_auth
- Reflected XSS: parameters add-good_address
and add-bad_address of /exec/MsgSet resource.
- Reflected XSS: parameters msgid and disp parameters of
style%3d"display: block; width: 500px; height: 500px;
border: 5px solid black"
When Firefox 3.0.x is used (tested
with FF 3.0.1), the attack above allows rendering visible the
hidden INPUT element.
- Reflected XSS: parameters id
and source_uri of /msgctr/message_display resource.
- Security Console build 6_24 (January 2010).
- Message Center Classic build 6_24 (January 2010).
- Message Center II build 6_24 (January 2010), build 6_25 (February 2010), build 6_26 (March 2010) and build 6_27 (April 2010).
Google fixed a first batch of vulnerabilities affecting Security Console
and Message Center Classic in build 6_25 (February 2010).
Additional fixes were included in subsequent releases, with the last fixes added in build 6_29 (June 2010).
January 24: Security Console and Message Centre II vulnerabilities discovered
January 24: Notification sent to Google
January 25: Google acknowledges the vulnerabilities
February 22: Google deploys first set of fixes
April 27: Additional vulnerabilities identified and notification sent to Google
April 28: Additional vulnerabilities identified and notification sent to Google
June 21: Google deploys additional fixes
September 15: MVSA-10-002 advisory published.