MOSEB-01: Vulnerability at meta.ua

19:24 01.06.2007

Month of Search Engines Bugs has started.

The first participant of the project is search engine meta.ua. Company Meta is a Ukrainian search engine vendor and meta.ua is a leading Ukrainian engine.

As you can guess, I put Meta at the beginning of participants’ list, because it is my native engine (single Ukrainian search engine in the list). And I very care about the state of security of this engine.

The vulnerability which I present for you was already posted at my site before. The hole at mine search engine site http://meta.ua was found at 22.09.2006. There were two holes (at q and url parameters) and I informed Meta guys and they fixed those holes. But they did it incompletely. In one parameter hole was lefted (with some query modification), so here it is.

XSS:

The vulnerability is in url parameter:
http://meta.ua/search.asp?url=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR4. So it will be interesting for black seo guys.

Moral: if I told you about holes at your site and you fixed them, try to fix them completely.

P.S.

This hole is old already, and for this reason I prepared a new hole at meta.ua. So there will be bonus post today ;-) .


2 відповідей на “MOSEB-01: Vulnerability at meta.ua”

  1. Silentz каже:

    Hey,

    I was wondering how do we submit our finds for listing on MOSEB? It’s just that i have found a couple in some MAJOR search engines and would like to contribute my findings. And as i can’t read whatever language is in use on this blog i can’t manage to figure out how to get your email address.

    Let me know,
    Silentz

  2. MustLive каже:

    Silentz

    My e-mail is on every page of my site at bottom of the page in my pseudonym (and additionally on about page). So it is easy to find my e-mail for everyone.

    By my plan I was going to post only holes found be me. But it is possible to publish holes found by other security researches. If you have interesting holes in major search engines then it is possible for you to contribute to MOSEB project.

    I will contact you.

Leave a Reply

You must be logged in to post a comment.