Websecurity - Веб безпека

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нові уразливості.

На двадцятий день Місяця багів в Пошукових Системах я опублікував 2 Cross-Site Scripting та Information disclosure уразливості. Цього разу інформація про дірки в пошукових системах WebCrawler та Google.

• MOSEB-20: Vulnerabilities at webcrawler.com (деталі)
• MOSEB-20 Bonus: Google dorks strikes back (деталі)

Дві XSS уразливості в пошуці по Білим Сторінкам WebCrawler та одна Information disclosure уразливість в паучку Гугла.

Очікуємо на наступний день Month of Search Engines Bugs.

Today’s bonus vulnerability in Google. The vulnerability is in Google’s spider, which awry index sensetive content (so it is Google dork). The day of Google bugs in MOSEB was over (at 15th day I posted holes in MOSEB-15 and MOSEB-15 Bonus), but it is nice hole and it’s worth to be mentioned. So Google with new bug is here once more.

The hole is in Google’s spider and it is Information disclosure hole. This one sent me Silentz yesterday, that his mate Lyecdevf found some bad behaviour of the spider. Which result in that Google indexes plain-text FTP credentials of YouTube users (their own users). Nice find guys! Google’s spider rocks (with its love to index everything).

You can use next dorks:

• site:youtube.com “clicks from ftp @” - about 239 results from Google (Lyecdevf’s dork)
• “clicks from ftp” (+ filter=0) - about 399 results from Google (my dork)

And as I tested there are working ftp accounts . Every Youtube user need to attend to security.

The main question (which I asked already in MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine): is Google thinking about its users’ security? No, they don’t. Because they don’t care about it. But they need, Google and others search engines need to take care about users security.

Moral #1: spiders can index everything, even sensetive information, so vendors need to make their spiders more selective.

Moral #2: while searching in engines you can find interesting and sensetive stuff (until vendors start to listen to moral #1).

P.S.

There was recently another hole at Google, as RSnake wrote in article Another Google XSS in Google Documents. In this case XSS hole was at Google Documents.

As I looked, the vulnerability was already fixed, but it was interesting hole. Which remembered Google that they need to attend to security.

Next participant of the project is WebCrawler search engine. It is one of the popular meta search engines.

The vulnerabilities are at WebCrawler Web Search (www.webcrawler.com) in White Pages search. These Cross-Site Scripting holes I found 26.05.2007.

XSS:

• alert(document.cookie)
• alert(document.cookie)
• redirector
• html injection

The vulnerabilities are in qf and qn parameters:
http://www.webcrawler.com/info.wbcrwl/white-pages/message.htm?otmpl=/white-pages/results.htm&qf=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E&searchtype=citystate

Moral: using white pages search can be dangerous.

Note, that WebCrawler engine belongs to InfoSpace, Inc. So they also responsible for these vulnerabilities.

P.S.

Also I prepared another interesting bug. So wait for today’s bonus post .

В даній добірці експлоіти в веб додатках:

• makit Newsposter Script v3 Remote SQL Injection Vulnerability (деталі)
• Xero Portal (phpbb_root_path) Remote File Include Vulnerablity (деталі)
• Virtual Path 1.0 (vp/configure.php) Remote File Include Vulnerability (деталі)
• Forum Livre 1.0 (SQL Injection / XSS) Multiple Remote Vulnerabilities (деталі)
• Aztek Forum 4.0 Multiple Vulnerabilities Exploit (деталі)
• AINS 0.02b (ains_main.php ains_path) Remote File Include Vulnerability (деталі)
• MyPHPcommander 2.0 (package.php) Remote File Include Vulnerability (деталі)
• Woltlab Burning Board 2.3.6 <= / Lite Exploit (деталі)
• Exploits ProFTPD 1.3.0/1.3.0a Controls Buffer Overflow (2.4 kernel) (деталі)
• webSPELL SQL-injection exploit in gallery.php (деталі)

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нові уразливості.

На дев’ятнадцятий день Місяця багів в Пошукових Системах я опублікував 3 Cross-Site Scripting уразливості. Цього разу інформація про дірки в пошуковій системі Netscape Search.

• MOSEB-19: Persistent XSS at search.netscape.com (деталі)
• MOSEB-19 Bonus: Vulnerabilities at search.netscape.com (деталі)

2 XSS уразливості в Search History в результатах пошуку Netscape та одна XSS в Recent Search.

Очікуємо на наступний день Month of Search Engines Bugs.

New bonus vulnerabilities in Netscape Search. In this case vulnerabilities at the same domain, like in MOSEB-19: Persistent XSS at search.netscape.com.

The vulnerabilities are at Netscape Search. There are two Cross-Site Scripting holes and these holes was found 19.06.2007. First one, which sent me Yorn today, is XSS (persistent) vuln in Search History - it is the same vuln as one I described at MOSEB-19, but that was hole in search script, and this hole is in image script.

CSRF + XSS:

• alert(document.cookie)

The vulnerability is in query parameter:
http://search.netscape.com/search/image?invocationType=topsearchbox.image&query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

First you use CSRF to save XSS code into user’s Search History. And then you trick user to visit site by simple link to engine to execute XSS.

Second hole, which I found today (when decided to make bonus post for you), it is XSS in Recent Search function.

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in a parameter:
http://search.netscape.com/search/gib?invocationType=recentSearchMaint&a=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: search history in engines can be dangerous.

Note, that Netscape engine use AOL search engine which use Google engine. So Google also responsible for these vulnerabilities.

Next participant of the project is Netscape Search engine. It is one of the popular meta search engines (in USA).

The vulnerability is at Netscape Search (search.netscape.com) in search results (in Search History). This Cross-Site Scripting hole I found 18.05.2007 and it is persistent XSS.

Like in MOSEB-03 Bonus: Persistent XSS at hotbot.com this is also a complex CSRF + XSS attack which make this persistent XSS working.

CSRF + XSS:

• alert(document.cookie)

The vulnerability is in query parameter and appears in Search History function (which remember user’s search queries):
http://search.netscape.com/search/search?invocationType=topsearchbox.webhome&query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

First you use CSRF (for example via frame or iframe tag) to save XSS code into user’s Search History. And then user must go to search.netscape.com and search, or just visit by simple link to engine (you may trick him to visit the site) to execute XSS hole.

Moral: even just simple searching in engine can be dangerous.

Note, that Netscape engine use AOL search engine (which use Google engine). So Google also responsible for this vulnerability.

P.S.

Also I prepared others holes at Netscape Search. So wait for today’s bonus post .

В даній добірці уразливості в веб додатках:

• Chatwm V1.0 SqL Injection Vuln. (деталі)
• Perforce client: security hole by design (деталі)
• Secure Login Manager Multiple Input Validation Vulnerabilities (деталі)
• Host directory full disclosure and input error (деталі)
• fetchmail security announcement 2006-02 (деталі)
• fetchmail security announcement 2006-03 (деталі)
• Multiple PHP remote file inclusion vulnerabilities in Site@School (S@S) (деталі)
• Обхід обмежень безпеки в Drupal Pubcookie (деталі)
• Численні уразливості в IBM Director (деталі)
• Cross-site scripting (XSS) vulnerability in eSyndiCat Portal System (деталі)

Продовжується Місяць багів в Пошукових Системах і сьогодні я опублікував нову уразливість.

На вісімнадцятий день Місяця багів в Пошукових Системах я опублікував Cross-Site Scripting уразливість. Цього разу інформація про дірку в пошуковій системі Апорт.

• MOSEB-18: Vulnerability at aport.ru (деталі)

XSS уразливість в пошуці Апорта по вебу.

Очікуємо на наступний день Month of Search Engines Bugs.

Next participant of the project is Aport search engine. It is one of the popular Russian search engines.

The vulnerability is in Aport’s web search (sm.aport.ru). I already wrote about this vulnerability at aport.ru. This Cross-Site Scripting hole I found 12.09.2006, and informed vendor, but they still didn’t fix it.

XSS:

• alert(document.cookie)
• redirector
• html injection

The vulnerability is in r parameter:
http://sm.aport.ru/scripts/template.dll?That=std&r=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral: looking for sites can be dangerous.