ThunderScan Discovered Multiple Vulnerabilities in Google API Client Library for PHP

Hi,

During the security audit of Google APIs Client Library for PHP multiple XSS vulnerabilities were discovered using DefenseCode ThunderScan SAST application source code security analysis platform. The Google API Client Library for PHP is designed for PHP client-application developers. It offers simple, flexible, powerful access to many Google APIs such as Google+, Drive, or YouTube.

The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.

Full advisory can be read on the following URL: http://www.defensecode.com/advisories/DC-2017-04-012_google-api-php-client_Advisory.pdf

Regards,
DefenseCode Team