A link to a quite amusing (?) video was posted on IRC today that is one of Zend's german PHP teaching videos. You can find it here. It is supposed to teach PHP developers the usage of $_GET and $_POST.

Aside from wrong information like the statement that POST data is sent within an HTTP header, all their examples print the content of $_GET and $_POST directly to the output, producing nice little XSS vulnerabilities.

Quite amusing seeing these kinds of tips from a company offering PHP training and certification. Maybe the teaching material should cover the usage of htmlentities() or htmlspecialchars() in the future.

Today I was reminded about a vulnerability I had totally forgotten about when I read the Securiteam blog posting about using Google to attack websites. The idea is to create a malicious website that contains links attacking web applications and submit this to the Google spider. When the Google spider crawls the page it will also follow the links and voila Google has attacked the website for you.

This is however not really news because people are using similiar techniques for Page Rank fraud for a while now. The idea behind Page Rank fraud is to create URLs that use HTML injection vulnerabilities on high ranked sites to inject HTML links to your page and submit them to search engines.

Back to the vulnerability I had forgotten about: More than a year ago I discovered that there is another easy way to trick Google into visiting a certain URL, that has the big advantage that the request will happen in a short timeframe after Google is tricked. The crawler trick above has the disadvantage that it is not really possible to know when Google will visit the attack URLs. Additionally the trick I reported at the 10. July 2005 to Google, that resulted in no actions beside an initial acknowledgement e-mail, has another advantage: It is possible to trick a person visiting your site by using CSRF into performing the trick on Google, so that your IP doesn't show up in the Google logs.

So now the very simple trick. Google Adsense IFRAME's are placed on URLs similiar to this

http://pagead2.googlesyndication.com/pagead/ads?client=XXXX&dt=...

...&url=http://victim.com/xyz&...

Most probably because of the Referer problematic the IFRAME's URL contains the URL the ad is displayed on. And now you may guess 3 times what happens when the url variable points to an URL unknown to google.

Exactly... After a short while one of the Google Mediapartner crawlers will visit the URL to scan it.

Atleast this is still the behaviour while I am writing this blog entry... Noone knows how fast Google will react once this is public. While it was not public they didn't do anything about if for more than a year.