Websecurity - Веб безпека

Next participant of the project is Lycos search engine. It is one of the popular search engines.

The vulnerability is at Lycos (search.lycos.com) in web search. This Cross-Site Scripting hole I found 09.10.2006. When I found this hole at Lycos in that October day, I first thought about making some project with vulns in search engines (which became MOSEB).

XSS:

• alert(document.cookie)
• redirector
• html injection (PR7)

The vulnerability is in query parameter:
http://search.lycos.com/?query=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E

Also page with html injection hole has PR7. It is a sweet dream (and I made dream come true). And this is best choice for black seo guys .

Moral: searching in the web can be dangerous.

Note, that Lycos engine use Ask.com search engine. So Ask.com also responsible for this vulnerability.

P.S.

I prepared another hole at Lycos. So wait for today’s bonus post .

This entry was posted on 19:58 17.06.2007 and is filed under MOSEB. You can follow any responses to this entry through the RSS 2.0 feed.