MOSEB-03 Bonus: Persistent XSS at hotbot.com

21:50 03.06.2007

New bonus vulnerabilities at www.hotbot.com. These Cross-Site Scripting holes I found yesterday, 02.06.2007 (when I decided to make a bonus bug for you for 3rd day of the project), and these are persistent XSS.

The holes at main domain of search engine http://www.hotbot.com, like MOSEB-03: Vulnerability at www.hotbot.com, but these vulnerabilities (two holes) are much more interesting. This is a complex CSRF + XSS attack which make these persistent XSS working.

CSRF + XSS:

The vulnerability is in prefs_filters.php script (in dfi and dfe parameters) which designed to save filters. And this function can be used to attack engine’s visitors:
http://www.hotbot.com/prefs_filters.php?prov=ask&add_domain=on&dfi=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&save=web

First you use CSRF (for example via frame or iframe tag) to save XSS code (into user’s cookie). And then user must go to http://www.hotbot.com (you may trick him to visit the site) to execute XSS hole.

Moral: even visiting main page of search engine can be dangerous.

Note, that HotBot belongs to Lycos. So Lycos also responsible for these vulnerabilities.


Leave a Reply

You must be logged in to post a comment.