[21514] in bugtraq
Fw: Searchengine vulnerability (i.e Lycos)
daemon@ATHENA.MIT.EDU (SRL Office)
Mon Jul 16 00:39:41 2001
Message-ID: <014b01c10af8$17599ac0$0100a8c0@darktech.org>
From: "SRL Office" <bugtraq@sentry-labs.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 12 Jul 2001 19:28:35 +0200
I informed lycos already about this some dasys before and I think they
recognized it, even the answer seemed to be totaly wrong to the case *?*.
maybe olther engines are vulnerable to this too, so I decieded to inform
public about this.
----
While searching some perl http query module for a new project I discoverd
some really strange behaviour of the lycos search engine. It seems that the
engine does not correctly handle html code written as html encoded text on
the indexed page.
example:
page: <input>
engine: <input>
the encoded string will be returned to the user with > instead of $gt; and
the users browser will create a input field (it handels it as correct html
code).
Why is it dangerous?
A malicious user may create a interface embended into the engines pages
(wrose if it's supprts php, building a shell is esay =P) or start a
redirect
attack.
example:
A user creates a page with thousends of hidden words on his page to surely
get indexed and found esaily (maybe sex and other often queried words).
he will embended hidden code into his site (on top, this is always shown by
default if no meta describtion exists) like
<script language="javacript">
window.open("spampage.htm") </script>
The engine will create html code and every time this site is access user
will be spammed. The malicious user may insert new javascript or other code
into the opened window and do whatever he wants to (maybe java which starts
a auto hack? Bam! Socket connections to server and client is allowed in
java =) ).
Hopefuly this is not a general issue or otherwise it may be a new way of
spamming users or do more malicious things =(
Siberian
CSC Sentry research Labs
(www.sentry-labs.com)
