MOSEB-09: Vulnerabilities at Rambler

20:51 09.06.2007

Next participant of the project is Rambler. It is one of the most popular Russian search engines.

The vulnerabilities are in Rambler’s Linux Kernel Mail Archives search (linux.rambler.ru), FreeBSD Mail Archives search (freebsd.rambler.ru) and MSDN Library Search (msdn.rambler.ru). I already wrote about these vulnerabilities at linux.rambler.ru (and holes at freebsd and msdn searches are the same). These Cross-Site Scripting holes I found 03.01.2007 (at linux.rambler.ru) and 10.05.2007 (at freebsd.rambler.ru and at msdn.rambler.ru).

There is only one moment (such as with Microsoft at MOSEB-05) - Rambler fixed all these vulnerabilities before this official disclosure. As I checked these holes at 1st of June, when I was sending notifications to search engines vendors, I found that they fixed these holes (which were planned for MOSEB). Holes at linux.rambler.ru was planned for main bug and holes at freebsd.rambler.ru and msdn.rambler.ru was planned for bonus bug. It was bad move from them to fix these vulns untimely (because when you are in project, holes need to be fixed in time). But I found a lot of others holes at Rambler, so it will be in my project certainly (with working XSS).

http://linux.rambler.ru

XSS:

The vulnerabilities are in qs, st_date, end_date and set parameters:
http://linux.rambler.ru/cgi-bin/advanced.cgi?qs=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://freebsd.rambler.ru

XSS:

The vulnerabilities are also in qs, st_date, end_date and set parameters.

http://msdn.rambler.ru

XSS:

The vulnerabilities are also in qs, st_date, end_date and set parameters.

Moral: searching for Linux, FreeBSD and MSDN can be dangerous.

P.S.

I prepared a lot of others holes at Rambler (and they are still working). So wait for today’s bonus post ;-) . Rambler can’t hide from me.


Leave a Reply

You must be logged in to post a comment.