Fw: Searchengine vulnerability (i.e Lycos)

["SRL Office" <bugtraq () sentry-labs com>]

 I informed lycos already about this some dasys before and I think they
 recognized it, even the answer seemed to be totaly wrong to the case *?*.
 maybe olther engines are vulnerable to this too, so I decieded to inform
 public about this.

 ----

 While searching some perl http query module for a new project I discoverd
 some really strange behaviour of the lycos search engine. It seems that the
 engine does not correctly handle html code written as html encoded text on
 the indexed page.

 example:

 page: <input>
 engine: <input>

 the encoded string will be returned to the user with > instead of  $gt; and
 the users browser will create a input field (it handels it as correct html
 code).


 Why is it dangerous?

 A malicious user may create a interface embended into the engines pages
 (wrose if it's supprts php, building a shell is esay =P) or start a
redirect
 attack.

 example:

 A user creates a page with thousends of hidden words on his page to surely
get indexed and found esaily (maybe sex and other often queried words).

 he will embended hidden code into his site (on top, this is always shown by
 default if no meta describtion exists) like

 &lt;script language=&quot;javacript&quot;&gt;
 window.open(&quot;spampage.htm&quot;) &lt;/script&gt;

The engine will create html code and every time this site is access user
 will be spammed. The malicious user may insert new javascript or other code
 into the opened window and do whatever he wants to (maybe java which starts
 a auto hack? Bam! Socket connections to server and client  is allowed in
 java =) ).

 Hopefuly this is not a general issue or otherwise it may be a new way of
 spamming users or do more malicious things  =(


 Siberian
 CSC Sentry research Labs
 (www.sentry-labs.com)