[WEB SECURITY] URL Spoofing vulnerability in bots of search engines #2

MustLive mustlive at websecurity.com.ua
Thu Apr 30 14:02:27 EDT 2009


Hello participants of Mailing List.

I already wrote you 
(http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00047.html) 
about URL Spoofing vulnerability in GoogleBot, Yahoo! Slurp, Mozilla and 
Internet Explorer (http://websecurity.com.ua/3079/), which also can exists 
in bots of other search engines. Let's continue this talk.

As I mentioned, with this vulnerability it's possible to spoof URL and
conduct fishing attacks, and use it for spreading of malware. Besides, this
method can be used for SEO, to add new keywords into URL, at the same time
to not overload real address of web site.

In previous advisory I wrote about using of space for URL Spoofing attack,
which I also called domain gluing. As I checked, besides space (%20) for
this attack other chars also can be used.

Mozilla supports: %00..%ff.

http://site.com%00www.tab.net.ua/sites/blog/site_name.mikolasz/id.195/
...
http://site.com%ffwww.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

IE6 and IE7 supports: %20..%2d and %30..%ff.

http://site.com%20www.tab.net.ua/sites/blog/site_name.mikolasz/id.195/
...
http://site.com%ffwww.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

At that IE during request to the site immediately changes url-encoded chars
to their common equivalents, or remove them at all (if these chars are not
displayed).

Note, that if space chars (%20) in addresses of the sites for conducting of
this attack I found in search engines (Google and Yahoo), then I didn't meet
the using of other chars, so it's not known if search engines support the
indexing of such chars in name of domains. But potentially bots of search
engines can support them (GoogleBot, Yahoo! Slurp and others).

Also I found, that possibility of this attack also depends on settings of
web server, which must support any domains. So this attack can be conducted
not at any web site, but only at appropriately configured ones.

Particularly besides www.tab.net.ua, this attack is also possible at
www.engadget.com and www.poweroptimizer.com.

URL Spoofing:

Indexed by Google:

http://www.kp.ruget.com.20www.engadget.com
Scheme: http://www.site.com%20www.engadget.com

Indexed by Yahoo:

http://www.energyopt.com.%20www.poweroptimizer.com
Scheme: http://www.site.com%20www.poweroptimizer.com

Vulnerable is GoogleBot.

Vulnerable is Yahoo! Slurp.

Vulnerable are Mozilla 1.7.x and previous versions.

Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.0.6001.18000) and previous versions. And potentially IE8.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/3096/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list