Tuesday, June 6, 2017

ThunderScan Discovered Multiple Vulnerabilities in Google API Client Library for PHP

Hi,

During the security audit of Google APIs Client Library for PHP multiple XSS vulnerabilities were discovered using DefenseCode ThunderScan SAST application source code security analysis platform. The Google API Client Library for PHP is designed for PHP client-application developers. It offers simple, flexible, powerful access to many Google APIs such as Google+, Drive, or YouTube.

The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.

Full advisory can be read on the following URL: http://www.defensecode.com/advisories/DC-2017-04-012_google-api-php-client_Advisory.pdf

Regards,
DefenseCode Team
Posted by at

8 comments:

  1. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. madalin stunt cars

    ReplyDelete

  3. I know there will be many difficulties and challenges but I am determined to do it. If it does not succeed then it will be a lesson for me as well catmario4.com

    ReplyDelete

  8. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing.
    obat gabagen
    obat ginjal bengkak
    obat keloid
    obat limpa bengkak
    obat thalasemia
    obat kencing tidak tuntas
    obat tbc tulang

    ReplyDelete

Subscribe to: Post Comments (Atom)