Google promises patch for PHP API client that has XSS vulnerability

Google’s PHP API client users have been warned to  watch out for phishing attacks while Google patches a cross-site scripting (XSS) vulnerability in the code.

The bug, discovered by DefenseCode’s Leon Juranic using the company’s ThunderScan source code scanner, has been acknowledged by the Chocolate Factory (as a “nice catch”), and a fix is promised.

The basis of the vuln is that if an attacker can get an administrator to “click the link”, they can be send malicious JavaScript, and “the attacker’s code will be executed, with unrestricted access to the site in question”.

The library in question is described by Google as a “beta”, but it’s been around long enough that there’s a well-followed Stackoverflow forum and tutorials about how to use the API and OAuth2 to pull Google data into other projects. The APIs include interfaces to Google+, Drive and YouTube.

The two XSS bugs the post describes are in the $_SERVER['PHP_SELF'] function.

“Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript”, the post adds.