« MOSEB-17: Vulnerability at search.lycos.com
Місяць багів в Пошукових Системах: день сімнадцятий »

MOSEB-17 Bonus: Vulnerability at www.lycos.com

22:26 17.06.2007

New bonus vulnerability in Lycos. In this case vulnerability not at search domain, like at MOSEB-17: Vulnerability at search.lycos.com, but at main domain of Lycos (in Retriever service).

The vulnerability is at main Lycos site (www.lycos.com) in Lycos Retriever. This Cross-Site Scripting hole I found 10.06.2007.

XSS:

The vulnerability is in query parameter:
http://www.lycos.com/retriever/search.php?rbsearch=dna&query=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: surfing on search engines vendors’ sites can be risky.


This entry was posted on 22:26 17.06.2007 and is filed under MOSEB. You can follow any responses to this entry through the RSS 2.0 feed.

Leave a Reply

You must be logged in to post a comment.