MOSEB-03: Vulnerability at www.hotbot.com

19:16 03.06.2007

Next participant of the project is HotBot search engine. It is one of the popular search engines and it is meta engine, so it use Ask and MSN engines directly for searching.

The vulnerability is in HotBot Web Search (www.hotbot.com). This Cross-Site Scripting hole I found 23.05.2007.

XSS:

The vulnerability is in query parameter:
http://www.hotbot.com/?query=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR8. It is a dream (and with me dreams come true). And this is best choice for black seo guys :-) .

Moral: searching in meta engines can be dangerous.

Note, that HotBot belongs to Lycos. So Lycos also responsible for this hole. And don’t worry guys, Lycos will also be in MOSEB.

P.S.

Also I prepared another (and more interesting) hole at www.hotbot.com. So wait for today’s bonus post ;-) .


Leave a Reply

You must be logged in to post a comment.