Websecurity - Веб безпека

New bonus vulnerability in MOSEB. This time vulnerability at Yahoo! Shopping. As I wrote in MOSEB-28, Kelkoo belongs to Yahoo (and used as a part of Yahoo! Shopping) so I decided to write about hole at shopping.yahoo.com (which is relative to Kelkoo engine that described in MOSEB-28: Vulnerabilities in Kelkoo). This is new vulnerability in Yahoo, after MOSEB-02.

The vulnerability is at Yahoo! Shopping (shopping.yahoo.com) in Abuse Report. This Cross-Site Scripting hole I found 24.06.2007 and it works in Internet Explorer. It is very cute hole: to bypass filters I used variable-width encoding with expression technique.

XSS:

• alert(document.cookie) (IE)
• redirector (IE)

The vulnerability is in review_excerpt with review_title parameters:
http://shopping.yahoo.com/merchrating/abuse_report.html;_ylu=?message_id=scd-337&merchant_id=1002688&review_excerpt=style%3Dxss:expression(alert(document.cookie))%20%C0&review_title=%C0

Moral: writing reports to search engine vendors can be dangerous.

This entry was posted on 22:42 28.06.2007 and is filed under MOSEB. You can follow any responses to this entry through the RSS 2.0 feed.