Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21739
HistoryApr 27, 2009 - 12:00 a.m.

URL Spoofing vulnerability in GoogleBot, Yahoo! Slurp, Mozilla and Internet Explorer

2009-04-2700:00:00
vulners.com
12
JSON

Hello 3APA3A!

I want to warn you about URL Spoofing vulnerability in GoogleBot,
Yahoo! Slurp, Mozilla and Internet Explorer. If vulnerabilities in
browsers I found often, than it's first time when I found vulnerability
in search engine's bot (spider). Bots of other search engines also can
be vulnerable.

This vulnerability I found already in November 2008. I found it in
Google (GoogleBot), but as I checked recently, Yahoo's bot (Yahoo!
Slurp) is vulnerable too.

With this vulnerability it's possible to spoof URL and conduct fishing
attacks, and use it for spreading of malware. Besides, this method can
be used for SEO, to add new keywords into URL, at the same time to not
overload real address of web site.

URL Spoofing:

http://www.site.com%20www.site2.com

When using space char it's possible to spoof address of the site in
address bar. First It's needed to set fake address http://www.site.com,
than put %20 (one or more), and then www.site2.com. In result browser
will show in address bar the constructed address, but at that will go
to the site http://www.site2.com.

http://www.siiiiiiiiiiiiiiiiiiiite.com%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20www.site2.com

There must be not more than 19 space chars (in url-encoded form -
%20), otherwise Mozilla will show error message. At that there is no
problem with this symbol in IE and it's possible to use larger amount
of spaces. In Mozilla to hide real address (that it'll not fit into
address bar) it's possible to use additional symbols in address of the
first site, which also can be done in IE.

Vulnerability of GoogleBot and Yahoo! Slurp consist in that, that they
support and index such addresses, and vulnerability of Mozilla and IE,
that they allow to go to such addresses. To this attack vulnerable are
GoogleBot, Yahoo! Slurp, Mozilla 1.7.x and IE6. New browsers, such as
Firefox 3, Opera 9 and Chrome are not vulnerable.

Real examples of this attack (indexed by Google):

http://www.google.com.ua/search?q=inurl:www.infostore.org+inurl:www.tab.net.ua&filter=0

Vulnerable is GoogleBot.

Vulnerable is Yahoo! Slurp.

Vulnerable are Mozilla 1.7.x and previous versions.

Vulnerable version is Internet Explorer 6 (6.0.2900.2180) and previous
versions. And potentially IE7 and IE8.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/3079/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON