According to a posting on Seclists.org, during the security audit of google-api-php-client (Google's PHP client library for accessing Google APIs) multiple XSS vulnerabilities were discovered by a team at DefenseCode using its ThunderScan SAST application source code security analysis platform.
“If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum,” said the researchers.
According to the DefenseCode advisory, Google is expected to resolve security issues in the next release. “All users are strongly advised to update google-api-php-client to the latest available version when the vulnerabilities get fixed,” said the advisory.
Mark James, IT security specialist at ESET, told SC Media UK that any cross-site scripting vulnerability is potentially bad.
He added that the best way to stay protected is to have a multi-layered approach. Keep your operating systems up to date and fully patched and use the latest versions where possible. “Also, it is important to have a good, regular updating internet security product and ensure you use unique, complex passwords where possible or consider password managers and two-factor authentication.”
Martin Ellis, security consultant, at SureCloud, told SC Media UK that organisations need to ensure that all user controllable inputs are properly encoded. “It is possible to fully mitigate against XSS attacks by correctly encoding user input. Regular code review, both manual and with the use of automated tools can help to find these types of vulnerability,” he said.