Fair Use: Please note that use of the Netcraft Blog is subject to our Fair Use and Copyright policies. For more information, please visit http://news.netcraft.com/fair-use-copyright, or email info@netcraft.com.

  1. Google Spreadsheets vulnerability exposes IE users’ Gmail, Documents and more

    An interesting cross-site scripting (XSS) vulnerability found in the Google Spreadsheets service would have allowed attackers to gain unauthorised access to other Google services, including Gmail and Google Docs.

    The vulnerability was discovered by security engineer Billy Rios, and takes advantage of nuances in the way Internet Explorer handles Content-Types for webpages.

    Google Spreadsheets XSS

    When a spreadsheet is saved and downloaded in CSV format, the Content-Type is set to "text/plain", thereby instructing the client's browser that the document should be treated as plain text. However, if HTML tags are entered into the first cell of the spreadsheet, Internet Explorer detects these tags near the start of the CSV document and instead deduces that it should be treated as HTML. This essentially allowed arbitrary HTML webpages to be served from spreadsheets.google.com, which in turn allowed JavaScript to be executed in the context of the spreadsheets.google.com site. A remote attacker could exploit this weakness by stealing the user's session cookies and hijacking their session.

    Rios points out that Google cookies are valid for all google.com sub domains. This means that when a user logs in to Gmail, the Gmail cookie is also valid for other Google services, such as Google Code, Google Docs, Google Spreadsheets, and more. Cross-site scripting vulnerabilities in any of these sub domains can allow an attacker to hijack a user's session and access other Google services as if they were that user.

    Google has fixed the vulnerability discovered by Rios and there have been no reports of the vulnerability being exploited by attackers.

    Posted by Paul Mutton on 14th April, 2008 in Security Share

  2. Google Offers Free Web Application Hosting

    Google has made a bolder move into web application hosting, unveiling the preview release of its Google App Engine service.

    The Google App Engine allows developers to build web applications on the same systems that power other Google applications, affording good scalability without needing to worry about infrastructure. For those who are familiar with the Python programming language, Google App Engine offers far greater flexibility than Google's existing free hosting service, Google Pages.

    In contrast to Amazon's EC2 service, which now offers scalable hosting through Elastic IP Addresses and Availability Zones, Google App Engine allows developers to get started with its service for free. Google's site claims that every Google App Engine application can use up to 500MB of storage and enough bandwidth and CPU for 5 million monthly page views.

    With Amazon's recent offering of low-cost web application hosting, and now Google's free web application hosting, the conventional web hosting industry may be set to see some radical changes. With both services providing high scalability, yet without adding complexity, these could be seen as an attractive alternative to setting up a busy website on dedicated servers. Conversely, they are less likely to appeal to casual website owners, simply because the services require more knowledge and skill to use than simpler services such as Google Pages, Blogger or Apple iWeb.

    The account registrations for the current preview release are limited to the first 10,000 developers, and only free accounts are available. Up to three applications can be created with a single Google App Engine account, and a number of applications have already been developed and are available at appgallery.appspot.com.

    Google App Engine currently allows developers to write applications using Python 2.5, with some modules disabled for security reasons. A number of Python web frameworks will work on Google App Engine, and Django is included with the SDK for convenience.

    Applications written for Google App Engine are not permitted to write to disk; instead, all data is stored in the Google App Engine datastore. A language called GQL uses SQL-like syntax to interface with the datastore. Scalability is achieved by using the Bigtable distributed storage system for structured data. The same storage system is used by a number of other popular Google projects, including web indexing, Google Earth and Google Finance.

    The Google App Engine team have set up a new blog for the service at googleappengine.blogspot.com

    Posted by Paul Mutton on 8th April, 2008 in Hosting Share

Page 2 of 212