Exactseek search buffer iframe XSS
Jayde Online Network webmaster@exactseek.com
Donnie Werner
morning_wood@frame4.com
http://frame4.com Security Systems
Advisory ID: FSN-2003-002
Date: 2003.05.25.
Original Advisory Date: 2003.05.25.
Discovery date: 2003.05.02.
Type: Vulnerability / Exploit
Product: Exactseek
Affected versions: All (as of discovery date)
Fixed Version: None
Vendor notified: Nope
Product/vendor URL: http://exactseek.com/
"ExactSeek.com is an internet search engine and directory that receives
and indexes over 25,000 new site submissions daily. To date more than
1 million web sites have been indexed and added to the ExactSeek database
and that number is expected to exceed 2 million by year-end. In addition
to standard web search results, ExactSeek also offers targeted searches
of specialized databases. Currently, visitors can use niche search engines
to find newsletters, articles, mp3 files, images, comparison shopping
sites and police and investigative sites"
Vendor:
--------------------
Exactseek
Jayde Online Network
webmaster@exactseek.com
Issue:
--------------------
It appears that the exactseek engine keeps a buffer of the first request
to be searched again by "search in results".
As a note all requests with ""
--------------------
How to cause XSS ( part1 )
Browse to http://www.exactseek.com/ and enter into "web Search" box the folowing,
click go.
A new page shows blank except for a search bar with "search within results"
enter the folowing into the new box,
cgi-bin/admin.cgi
click go
see iframe rendered
--------------------
More Exactseek XSS ( part2 )
---------------------
As part of exactseeks search site they offer "targeted" search boxes,
the following are directly affected from both the mainsite and their respective searchboxes.
enter the folowing into the search boxes..
Findings:
--------------------
Somehow the search string is being malformed from
""
to
"__"
to
"__"
It then holds that in the buffer to be searched again,
leaving it self open to any number of creative exploits
Affected Sites:
--------------------
http://www.exactseek.com
http://www.goarticles.com/
http://www.goarticles.com/cgi-bin/search.cgi
http://www.sli-systems.com/exactseek.php
http://www.sli-systems.com/exactseek.php?w=%3Ciframe+src%3D%22http%3A%2F%2Fframe4.com%22%3E%3C%2Fiframe%3E&s.x=20&s.y=12
Credits:
--------------------
Donnie Werner
morning_wood@frame4.com
http://frame4.com