Next participant of the project is Excite search engine. It is one of the popular meta search engines (in USA).
The vulnerability is at Excite Money & Investing (money.excite.com) in symbol search results. This Cross-Site Scripting hole I found 31.05.2007. And I used null byte filters bypass technique for Mozilla and slash filters bypass technique for Internet Explorer.
- alert(document.cookie) (Mozilla)
- alert(document.cookie) (IE)
- redirector (Mozilla)
- redirector (IE)
- html injection (PR7) (Mozilla)
- html injection (PR7) (IE)
The vulnerability is in symbol_search_text parameter:
Also page with html injection hole has PR7. It is a dream and black seo guys will be happy .
Moral: searching for money can be dangerous.
Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for this vulnerability.
Also I prepared others holes concerned with Excite. So wait for today’s bonus post .