Websecurity - Веб безпека

Next participant of the project is MetaCrawler search engine. It is one of the popular meta search engines.

The vulnerabilities are at MetaCrawler (www.metacrawler.com) in White Pages search. These Cross-Site Scripting holes I found 27.05.2007.

XSS:

• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in qf and qn parameters:
http://www.metacrawler.com/info.metac/white-pages/message.htm?otmpl=/white-pages/results.htm&qf=%3Cscript%3Ealert(document.cookie)%3C/script%3E&searchtype=citystate

Moral: searching in white pages can be dangerous.

Note, that MetaCrawler engine belongs to InfoSpace, Inc. So they also responsible for these vulnerabilities. And don’t worry guys, InfoSpace will also be in MOSEB.

New bonus vulnerability in AltaVista. In this case vulnerability not directly at AltaVista’s site, like at MOSEB-12: Vulnerabilities at www.altavista.com, but in local search engine made by AltaVista.

The hole are in AltaVista local search engine, which can be used by a lot of sites (and so all of them can be vulnerable).

The vulnerability is in text parameter (in main script):
http://site/?text=%3Cscript%3Ealert(document.cookie)%3C/script%3E

As an example I’ll show you site av.rbc.ru with this local search engine. I wrote about this hole before in article Vulnerabilities at sites of RBC. I found this hole 31.08.2006 and informed administrators of the site, and they already fixed this hole (but with big delay). I didn’t write about this velnerabilty as a separate hole in AltaVista local engine and decided to write about it in MOSEB. And it worth it, because there can be many sites in the web which use this engine. So everyone who use AltaVista local engine at own site need to attend to security.

XSS:

• alert(document.cookie)

Moral #1: local searching can be dangerous.

Moral #2: if you are using local search engine at your site (even from famous vendor), always attend to security audit of the site.

Note, that AltaVista local engine also belongs to Yahoo! Inc (like main AltaVista engine). So Yahoo also responsible for this vulnerability.

Next participant of the project is AltaVista search engine. It is one of the popular search engines.

The vulnerabilities are at AltaVista (www.altavista.com) in Images, MP3/Audio, Video and News search. These Cross-Site Scripting holes I found 25.01.2007.

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in q parameter:
http://www.altavista.com/image/results?q=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: searching for images, audio, video and news can be dangerous.

Note, that AltaVista engine belongs to Yahoo! Inc. So Yahoo also responsible for these vulnerabilities (as for their own at MOSEB-02).

P.S.

Also I prepared another hole concerned with AltaVista. So wait for today’s bonus post .

Next participant of the project is Ezilon search engine. Ezilon Europe it is regional web directory and search engine.

There is vulnerability at main site of Ezilon (www.ezilon.com) in search results. This Cross-Site Scripting hole I found 25.05.2007.

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in q parameter:
http://www.ezilon.com/cgi-bin/jump/jump_search.cgi?cat=1&q=--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: regional searching can be dangerous.

New bonus vulnerabilities at Ask. The Cross-Site Scripting hole sent me Silentz today (in contact script). Nice one, man. And after I checked it I found also 3 additional holes in that script and 4 holes in another script. So there are a lot of new XSS at Ask (thanks to Silentz).

The holes at Ask (www.ask.com) in contact forms Ask Customer Service and Consumer Feedback. And these are XSS vulnerabilities like in MOSEB-10: Vulnerabilities at www.ask.com (total 8 new holes).

Ask Customer Service (www.ask.com/contact).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection (PR5)

The vulnerabilities are in optional-name, require-email, optional-url and optional-message parameters:
http://www.ask.com/contact?optional-name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR5 and black seo guys will be happy.

Consumer Feedback (www.ask.com/contactlegal).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are also in optional-name, require-email, optional-url and optional-message parameters.

Moral: writing to search engine vendor in contact form can be risky.

Next participant of the project is Ask search engine. It is one of the popular search engines.

The vulnerabilities are in Ask web search. These Cross-Site Scripting holes I found 10.05.2007.

XSS:

• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection (PR5)

The vulnerabilities are in qid and jss parameters:
http://www.ask.com/web?q=test&qid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR5. So black seo guys will be happy.

Moral: searching in the web can be dangerous.

P.S.

I prepared others holes at Ask.com. So wait for today’s bonus post .

New bonus vulnerabilities at Rambler. These Cross-Site Scripting holes I found 01.06.2007. I found them when I looked for another holes for the project, after Rambler untimely fixed some that I prepared. Rambler need to behave itself properly (when participating in the project).

The holes at Rambler-FTP (ftpsearch.rambler.ru) in search results and advanced settings. And these are XSS vulnerabilities like in MOSEB-09: Vulnerabilities at Rambler (total 12 new holes).

Search results (search.html).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in words, ftype, form, what and sort1 parameters:
http://ftpsearch.rambler.ru/db/ftpsearch/search.html?words=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Advanced settings (advanced.html).

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in words, pflx, pfli, dflx, dfli, sl and sh parameters:
http://ftpsearch.rambler.ru/db/ftpsearch/advanced.html?words=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: searching on ftp can be dangerous.

Next participant of the project is Rambler. It is one of the most popular Russian search engines.

The vulnerabilities are in Rambler’s Linux Kernel Mail Archives search (linux.rambler.ru), FreeBSD Mail Archives search (freebsd.rambler.ru) and MSDN Library Search (msdn.rambler.ru). I already wrote about these vulnerabilities at linux.rambler.ru (and holes at freebsd and msdn searches are the same). These Cross-Site Scripting holes I found 03.01.2007 (at linux.rambler.ru) and 10.05.2007 (at freebsd.rambler.ru and at msdn.rambler.ru).

There is only one moment (such as with Microsoft at MOSEB-05) - Rambler fixed all these vulnerabilities before this official disclosure. As I checked these holes at 1st of June, when I was sending notifications to search engines vendors, I found that they fixed these holes (which were planned for MOSEB). Holes at linux.rambler.ru was planned for main bug and holes at freebsd.rambler.ru and msdn.rambler.ru was planned for bonus bug. It was bad move from them to fix these vulns untimely (because when you are in project, holes need to be fixed in time). But I found a lot of others holes at Rambler, so it will be in my project certainly (with working XSS).

http://linux.rambler.ru

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)

The vulnerabilities are in qs, st_date, end_date and set parameters:
http://linux.rambler.ru/cgi-bin/advanced.cgi?qs=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://freebsd.rambler.ru

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)

The vulnerabilities are also in qs, st_date, end_date and set parameters.

http://msdn.rambler.ru

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)

The vulnerabilities are also in qs, st_date, end_date and set parameters.

Moral: searching for Linux, FreeBSD and MSDN can be dangerous.

P.S.

I prepared a lot of others holes at Rambler (and they are still working). So wait for today’s bonus post . Rambler can’t hide from me.

Next participant of the project is Search Europe search engine. This is regional engine and it has European releated information (it’s not big, but it is regional). I found this site when was looking for European engines for the project, because there are to many engines from USA in participants’ list (and I was trying to make the project world-wide).

So here it is - one more European search engine (even if it’s locating in USA , as I got to know later), in addition to Ukrainian and Russian engines. Don’t worry guys, there will be others European engines during this month (but larger part of all participants are USA engines).

There is vulnerability at main site of Search Europe (www.searcheurope.com) in search results. This Cross-Site Scripting hole I found 25.05.2007.

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in query parameter:
http://www.searcheurope.com/cgi-bin/links/search.cgi?query=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


Moral: even simple searching can be risky.

New bonus vulnerabilities in Yandex. In this case vulnerabilities not directly at Yandex’s site, like at MOSEB-07: Vulnerability at blogs.yandex.ru, but in local search engine made by Yandex.

The holes are in Yandex.Server (Яndex.Server), local search engine from Yandex, which used by a lot of sites (and so many of them are vulnerable, except those who already fixed these holes). In my practice of social security audit I found many sites (in 2006 and 2007) with Yandex.Server which have such holes (I wrote about this issue in article Vulnerabilities in search Яndex.Server). I informed owners of sites with these holes (sites which I found and it is only small part of total vulnerable sites) and infomed Yandex. But there are still a lot of vulnerable sites in Internet with these holes, so site’s owners need to take care of the holes in case they are using Yandex.Server engine.

Searching in Google (aka Google Hacking) allow you to quickly find sites which are using Yandex.Server and find holes in them. So every user of this engine need to attend to security.

The vulnerabilities are in query and within parameters (in main script):
http://site/search/?query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/search/?within=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

As an example I’ll show you site www.rian.ru with this local search engine. I wrote about these holes before in article Vulnerability at www.rian.ru (and also wrote about other holes at other sites which are using Yandex.Server). And I informed administrators of this site, but they didn’t fix holes completely yet.

XSS:

• alert(document.cookie)
• цікавий
• html включення (PR5)

Also page with html injection hole has PR5. So black seo guys will be happy.

Moral #1: using local search engines can be dangerous.

Moral #2: if I told you about holes at your site then try to fix them.

Moral #3: if you are using local search engine at your site (even from famous vendor), always attend to security audit of the site.