-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------- itcp advisory 4 advisories@it-checkpoint.net http://www.it-checkpoint.net/advisory/4.html March 14th, 2002 - ------------------------------------------------------------- translation.lycos.com and infoplease.lycos.com allow Cross Site Scripting - -------------------------- Affected program: - Vendor: Lycos.com Vulnerability-Class: Cross Site Scripting (CSS) OS specific: No Problem-Type: remote SUMMARY Cross Site Scripting in the translation and infoplease services of lycos.com possible DETAILS The translation and infoplease services of lycos.com are not checking for any hostile input so it is able to steal cookies. Bug analysis: Missing filters for Characters like "<" or ">" Impact: Stealing of cookies possible Exploit: The only thing you have to do is entering some HTML-Code in the textbox or just click on the following links: translation.lycos.com: http://translation.lycos.com/?urltext=