MOSEB-10 Bonus: Vulnerabilities at www.ask.com
New bonus vulnerabilities at Ask. The Cross-Site Scripting hole sent me Silentz today (in contact script). Nice one, man. And after I checked it I found also 3 additional holes in that script and 4 holes in another script. So there are a lot of new XSS at Ask (thanks to Silentz).
The holes at Ask (www.ask.com) in contact forms Ask Customer Service and Consumer Feedback. And these are XSS vulnerabilities like in MOSEB-10: Vulnerabilities at www.ask.com (total 8 new holes).
-----------------------------------------------------
The Month of Search Engine Bugs has been rolling along. Almost all of the holes have been XSS vulnerabilities in lesser known search engines (expect for Ask.com).
So far the media response has been lack luster...to almost non-existent. Even Microsoft didn't have too much to say on MoSEB.Unless they start dropping huge XSS holes in Google or MS Live Search, I am not sure it will get much more media attention.
What about a Month of Standard Office Bugs? (MoSOB) - It could target Microsoft Office, StarOffice and OpenOffice.
Technocrat
ReplyDeleteAbout your statement that almost all holes have been XSS in lesser known search engines (expect Ask). You inattentive looked through my site.
You missed Yahoo (in MOSEB-02 http://websecurity.com.ua/998/) and MSN (in MOSEB-05 http://websecurity.com.ua/1010/). It was MSN Microsoft's site, and about holes at search.live.com I posted before MOSEB project (http://websecurity.com.ua/493/).
And there was AltaVista recently (in MOSEB-12 http://websecurity.com.ua/1038/). And about Google I'll write very soon ;-) (so don't miss).
P.S.
Month of Standard Office Bugs is also nice idea.
I stand corrected on my statement about lesser known search engines.
ReplyDeleteI figured you were saving some of the best for last ;)
Although MOSEB may not be in the media spotlight i think it still addresses the point/s it intends on addressing which is that some of the biggest and well-known search engines are vulnerable.
ReplyDeleteAlso, you've gotta think that this is (mostly) one guy disclosing the holes which he has found. Imagine the holes that are yet to be uncovered or that HAVE been uncovered but not fully disclosed to the public.
Silentz,
ReplyDeleteI fully agree with you and that is why I am keeping an eye on the project myself.
However, it is well known that XSS vulns are everywhere. CERT will tell you, MITRE will tell you, and most security vendors will tell you that SQL injection and XSS vulns are everywhere.
While XSS vulns are more client attack based, SQL injections offer an attacker the means to gather a very large amount of personal data in no time flat.
Am I suggesting that a person find SQL injection and then release them? No!
Most likely, a project of that type would land a person in legal trouble very quickly.