Tuesday, June 6, 2017

ThunderScan Discovered Multiple Vulnerabilities in Google API Client Library for PHP

Hi,

During the security audit of Google APIs Client Library for PHP multiple XSS vulnerabilities were discovered using DefenseCode ThunderScan SAST application source code security analysis platform. The Google API Client Library for PHP is designed for PHP client-application developers. It offers simple, flexible, powerful access to many Google APIs such as Google+, Drive, or YouTube.

The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.

Full advisory can be read on the following URL: http://www.defensecode.com/advisories/DC-2017-04-012_google-api-php-client_Advisory.pdf

Regards,
DefenseCode Team

16 comments:

  1. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. madalin stunt cars

    ReplyDelete
  2. I know there will be many difficulties and challenges but I am determined to do it. If it does not succeed then it will be a lesson for me as well catmario4.com

    ReplyDelete
  3. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing.
    obat gabagen
    obat ginjal bengkak
    obat keloid
    obat limpa bengkak
    obat thalasemia
    obat kencing tidak tuntas
    obat tbc tulang

    ReplyDelete
  4. nice blog
    TO LEARN

    1) data science

    2)Machine Learning

    3) IOT

    4) cloud computing

    5)ethical hacking

    ReplyDelete
  5. https://www.livelearn.co.in/course/data-science
    https://www.livelearn.co.in/course/aws-sysops-administrator-associate

    ReplyDelete
  6. As for me, it's quite important to make homework fun. You can check this out and find really useful advices about it

    ReplyDelete
  7. It is common to find ourselves in situation where the dates to vacate your facilityis predetermined and you are not ready yet to move into the would-be facility. The situation may apply to both – home as well as office. In such situations, you could opt for our storage and warehousing services.
    packers and movers satna
    packers and movers bhilai
    packers and movers in cuttack
    packers and movers in durgapur
    packers and movers in meerut
    packers and movers rajahmundry
    packers movers jodhpur
    packers and movers kakinada
    packers and movers korba
    packers and movers dhanbad

    ReplyDelete
  8. Anyone reading this text must have come across the need for a home relocation. This requirement is typical of the city life andcareer-moves. Moving India provides comprehensive home relocation covering not only the furniture, fixtures and utensils but also your vehicle and pets.
    packers and movers thrissur
    packers and movers in belgaum
    packers and movers kharagpur
    packers & movers in nagpur
    packers and movers btm layout

    ReplyDelete