JAR: protocol vuln – targeting to Google now

According to the report of pdp several Web sites supporting open redircts are vulnerable to recent JAR: protocol vulnerability.

More information about these XSS vulnerabilities (hey, these are serious now!) is available at GNUCITIZEN entry here:

Severe XSS in Google and Others due to JAR protocol issues

Update 26th Nov: The author of Beford Blog has shared information that his “jarjarbinks.htm” PoC type link still works – when entering it manually to browser’s address bar. Google is still affected to JAR flaw.

  • Tyop?

    “hey, these are serious now!”

    Just now ? (^-^)

  • http://networksecurity.typepad.com/ Juha-Matti

    Not only now. This was to the people criticizing the XSS’s on security mailing lists during these weeks :)