I informed lycos already about this some dasys before and I think they recognized it, even the answer seemed to be totaly wrong to the case *?*. maybe olther engines are vulnerable to this too, so I decieded to inform public about this. ---- While searching some perl http query module for a new project I discoverd some really strange behaviour of the lycos search engine. It seems that the engine does not correctly handle html code written as html encoded text on the indexed page. example: page: <input> engine: <input> the encoded string will be returned to the user with > instead of $gt; and the users browser will create a input field (it handels it as correct html code). Why is it dangerous? A malicious user may create a interface embended into the engines pages (wrose if it's supprts php, building a shell is esay =P) or start a redirect attack. example: A user creates a page with thousends of hidden words on his page to surely get indexed and found esaily (maybe sex and other often queried words). he will embended hidden code into his site (on top, this is always shown by default if no meta describtion exists) like <script language="javacript"> window.open("spampage.htm") </script> The engine will create html code and every time this site is access user will be spammed. The malicious user may insert new javascript or other code into the opened window and do whatever he wants to (maybe java which starts a auto hack? Bam! Socket connections to server and client is allowed in java =) ). Hopefuly this is not a general issue or otherwise it may be a new way of spamming users or do more malicious things =( Siberian CSC Sentry research Labs (www.sentry-labs.com)
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 21:41:13 PDT