MOSEB-07 Bonus: Vulnerabilities in Yandex.Server

20:45 07.06.2007

New bonus vulnerabilities in Yandex. In this case vulnerabilities not directly at Yandex’s site, like at MOSEB-07: Vulnerability at blogs.yandex.ru, but in local search engine made by Yandex.

The holes are in Yandex.Server (Яndex.Server), local search engine from Yandex, which used by a lot of sites (and so many of them are vulnerable, except those who already fixed these holes). In my practice of social security audit I found many sites (in 2006 and 2007) with Yandex.Server which have such holes (I wrote about this issue in article Vulnerabilities in search Яndex.Server). I informed owners of sites with these holes (sites which I found and it is only small part of total vulnerable sites) and infomed Yandex. But there are still a lot of vulnerable sites in Internet with these holes, so site’s owners need to take care of the holes in case they are using Yandex.Server engine.

Searching in Google (aka Google Hacking) allow you to quickly find sites which are using Yandex.Server and find holes in them. So every user of this engine need to attend to security.

The vulnerabilities are in query and within parameters (in main script):
http://site/search/?query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/search/?within=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

As an example I’ll show you site www.rian.ru with this local search engine. I wrote about these holes before in article Vulnerability at www.rian.ru (and also wrote about other holes at other sites which are using Yandex.Server). And I informed administrators of this site, but they didn’t fix holes completely yet.

XSS:

Also page with html injection hole has PR5. So black seo guys will be happy.

Moral #1: using local search engines can be dangerous.

Moral #2: if I told you about holes at your site then try to fix them.

Moral #3: if you are using local search engine at your site (even from famous vendor), always attend to security audit of the site.


Leave a Reply

You must be logged in to post a comment.