Pending Members - Google Groups XSS Bug [Part 1]

Tags: AJAX, Google, Security, XSS

During the weekend I found an script error on the Google pending members web page. Because I was using the new Google groups beta interface I didn't looked on it. But today the script error still occurs and I noticed the same error on the older version, too. I had a look inside the generated html output and found that there was a script tag that was not closed, ah, it was a membership request message.

Because joining my Google group requires approval I ask the user to enter some words why to subscribe to this group. In this textbox you can enter everything, and yes, you can add a script tag, too:

<script> alert(document.cookie); </script>

If I go to the administration tools for this Google group and display the pending members I get following alert message. I did some more tests and found out that it is possible to submit to the group without any approval, only opening the pending members page did automatically approved my test membership request.

 

Updated: read Part 2 of this Google bug.

No Comments