[NEWS] Search Engines HTML Parsing Vulnerability (Lycos)
From: support@securiteam.comDate: 07/29/01
- Next message: support@securiteam.com: "[NT] Invalid RDP Data Can Cause Memory Leak in Terminal Services"
- Previous message: support@securiteam.com: "[NT] Proxomitron Cross-Site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Search Engines HTML Parsing Vulnerability (Lycos) Message-Id: <20010729192252.B9190138BF@mail.der-keiler.de> Date: Sun, 29 Jul 2001 21:22:52 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Search Engines HTML Parsing Vulnerability (Lycos)
------------------------------------------------------------------------
SUMMARY
A security vulnerability has been confirmed in Lycos's Search Engine
(other engines are suspected to be vulnerable as well). The vulnerability
allows malicious web site owners to cause JavaScript code (or any other
HTML code) to get included in the search results displayed to the end user
by Lycos.
DETAILS
It seems that the search engines do not correctly handle HTML code written
as HTML encoded text in the indexed page.
Example:
Page contains: <input>
Engine returns: <input>
The encoded string will be returned to the user with > instead of >
and the users browser will create a input field (it handles it as correct
HTML code).
Why is this dangerous?
A malicious user may create an interface embedded into the engines pages
(if the search engine supports PHP this is even worse; a malicious web
site can build up a shell) or start a redirect attack.
Example:
A user creates a page with thousands of hidden words on his page to surely
be indexed and found easily (maybe sex and other often-queried words).
He will embed hidden code into his site (on top, this is always shown by
default if no Meta description exists) like:
<script language="javacript">
window.open("spampage.htm") </script>
The engine will create HTML code and every time this site is access, the
user will be spammed. The malicious user may insert new JavaScript or
other code into the opened window and do whatever he wants to.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bugtraq@sentry-labs.com> SRL
Office.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Invalid RDP Data Can Cause Memory Leak in Terminal Services"
- Previous message: support@securiteam.com: "[NT] Proxomitron Cross-Site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
