Exactseek search buffer iframe XSS
Jayde Online Network webmaster@exactseek.com 

Donnie Werner
morning_wood@frame4.com
http://frame4.com Security Systems

Advisory ID:                  FSN-2003-002
Date:                         2003.05.25.
Original Advisory Date:       2003.05.25.
Discovery date:               2003.05.02.
Type:                         Vulnerability / Exploit
Product:                      Exactseek
Affected versions:            All (as of discovery date)
Fixed Version:                None
Vendor notified:              Nope
Product/vendor URL:           http://exactseek.com/



"ExactSeek.com is an internet search engine and directory that receives
 and indexes over 25,000 new site submissions daily. To date more than
 1 million web sites have been indexed and added to the ExactSeek database
 and that number is expected to exceed 2 million by year-end. In addition
 to standard web search results, ExactSeek also offers targeted searches
 of specialized databases. Currently, visitors can use niche search engines
 to find newsletters, articles, mp3 files, images, comparison shopping
 sites and police and investigative sites"


Vendor:
--------------------

Exactseek
Jayde Online Network
webmaster@exactseek.com 


Issue:
--------------------

 It appears that the exactseek engine keeps a buffer of the first request
to be searched again by "search in results".

As a note all requests with "<script>" are filtered as evidenced by no
XSS with the input of "<SCRIPT>alert(document.domain);</SCRIPT>"

--------------------

How to cause XSS ( part1 )


Browse to http://www.exactseek.com/ and enter into  "web Search" box the folowing, 

<iframe src=></iframe>

click go.

A new page shows blank except for a search bar with "search within results"
enter the folowing into the new box,

<iframe src="http://frame4.com"></iframe>
cgi-bin/admin.cgi

click go 

see iframe rendered

--------------------
More Exactseek XSS ( part2 )
---------------------

As part of exactseeks search site they offer "targeted" search boxes,
the following are directly affected from both the mainsite and their respective searchboxes.
enter the folowing into the search boxes..

<iframe src="http://frame4.com"></iframe>
<IMG SRC="javasc&#X0A;ript:alert('XSS Error');">
<IMG SRC="javasc&#X0A;ript:alert (document.domain)";" border="0" height="1" width="1">



Findings:
--------------------

Somehow the search string is being malformed from

"<iframe src="http://frame4.com"></iframe>"

to

"__<iframe __src="

and from

"<iframe src=></iframe>"

to

"__<iframe __src=></iframe>"

It then holds that in the buffer to be searched again,
leaving it self open to any number of creative exploits


Affected Sites:
--------------------

http://www.exactseek.com

http://www.goarticles.com/
http://www.goarticles.com/cgi-bin/search.cgi

http://www.sli-systems.com/exactseek.php
http://www.sli-systems.com/exactseek.php?w=%3Ciframe+src%3D%22http%3A%2F%2Fframe4.com%22%3E%3C%2Fiframe%3E&s.x=20&s.y=12


Credits:
--------------------
Donnie Werner
morning_wood@frame4.com
http://frame4.com