Vulnerabilities > CVE-2008-6512 - Unspecified vulnerability in Google Gears
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL network
google
Summary
Cross-domain vulnerability in the WorkerPool API in Google Gears before 0.5.4.2 allows remote attackers to bypass the Same Origin Policy and the intended access restrictions of the allowCrossOrigin function by hosting an assumed-safe file type containing Google Gear commands on the target domain, then accessing that file from the attacking domain, whose response headers are not checked and cause the worker code to run in the target domain.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 32698 CVE(CAN) ID: CVE-2008-6512 Google Gears是一个开源浏览器扩展,允许开发者开发离线网络程序。 Google Gears的WorkerPool API中存在跨域安全漏洞。如果攻击者在目标域上放置了包含有Google Gear命令的文件类型,然后从攻击域访问该文件,由于没有检查攻击域的响应头,因此可能绕过allowCrossOrigin函数的访问限制在目标域中运行worker代码。 Google Gears < 0.5.4.2 厂商补丁: Google ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.google.com target=_blank rel=external nofollow>http://www.google.com</a> |
| id | SSV:4950 |
| last seen | 2017-11-19 |
| modified | 2009-03-25 |
| published | 2009-03-25 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-4950 |
| title | Google Gears WorkerPool API绕过同源策略漏洞 |
References
- http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html
- http://code.google.com/apis/gears/upcoming/api_workerpool.html#cross_origin
- http://lists.grok.org.uk/pipermail/full-disclosure/2008-December/066291.html
- http://secunia.com/advisories/33062
- http://www.securityfocus.com/bid/32698
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47173