MOSEB-06: Vulnerabilities at clusty.com

21:07 06.06.2007

Next participant of the project is Clusty search engine. It is new and popular engine which is meta engine and use clusters (it groups similar results into clusters).

There are two vulnerabilities at main site of Clusty (clusty.com) in error message. These Cross-Site Scripting and Full path disclosure holes I found 24.05.2007. XSS vulnerability works only in Mozilla and Firefox, but not in IE (due the peculiarities of IE rendering engine and plaintext tag which was used by Clusty guys).

XSS:

The vulnerability is in v:file parameter:
http://clusty.com/search?v%3afile=viv_744%4025%3aTKjQZH&v%3astate=%28root%29%7croot%3C/plaintext%3E%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Note that value of v:file parameter (viv_744%4025%3aTKjQZH) is temporary and works for short time. So you need to have a fresh value for launching attack (use Clusty for searching and get this value).

Full path disclosure:

http://clusty.com/search?v%3afile=viv_738%4020%3avyqK9v-

Moral: error messages at search engines can be dangerous.


7 відповідей на “MOSEB-06: Vulnerabilities at clusty.com”

  1. Alex каже:

    Closing tag is not present in Firefox 2, so the bug is Firefox 1.x only.

  2. Alex каже:

    s/tag/tag </plaintext>/

    Stupid Wordpress.

  3. MustLive каже:

    Thanks for information, Alex.

    I tested it in Mozilla (1.7.7 which I use) and Firefox, and it worked in them. So it is Firefox <2.0 bug (for old versions of Mozilla and Firefox). And I didn’t test this vuln in Opera (not use it), therefore somebody could test it.

  4. Anon каже:

    Oh noes, plz do not be pwning my clusty.com a/c mr hax0r!!!111

  5. Silentz каже:

    Alex, how did i know you were going to overlooking MOSEB?

    I’ve just tried it on Opera and it doesn’t work.

  6. MustLive каже:

    Сlusty already fixed this XSS vuln as I see. Only Full path disclosure vuln was left.

  7. polonus каже:

    Hi Alex,

    For most of the vulnerabilities in FF I was protected by the Netcraft anti-phishing toolbar. Good I have this installed.

    pozdrawiam,

    polonus

Leave a Reply

You must be logged in to post a comment.