Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21754
HistoryMay 01, 2009 - 12:00 a.m.

URL Spoofing vulnerability in GoogleBot, Yahoo! Slurp, Mozilla and Internet Explorer #2

2009-05-0100:00:00
vulners.com
14

Hello 3APA3A!

I already wrote you about URL Spoofing vulnerability in GoogleBot,
Yahoo! Slurp, Mozilla and Internet Explorer
(http://websecurity.com.ua/3079/), which also can exists in bots of
other search engines.

As I mentioned, with this vulnerability it's possible to spoof URL and
conduct fishing attacks, and use it for spreading of malware. Besides,
this method can be used for SEO, to add new keywords into URL, at the
same time to not overload real address of web site.

In previous advisory I wrote about using of space for URL Spoofing
attack, which I also called domain gluing. As I checked, besides space
(%20) for this attack other chars also can be used.

Mozilla supports: %00…%ff.

http://site.com%00www.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

http://site.com%ffwww.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

IE6 and IE7 supports: %20…%2d and %30…%ff.

http://site.com%20www.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

http://site.com%ffwww.tab.net.ua/sites/blog/site_name.mikolasz/id.195/

At that IE during request to the site immediately changes url-encoded
chars to their common equivalents, or remove them at all (if these
chars are not displayed).

Note, that if space chars (%20) in addresses of the sites for
conducting of this attack I found in search engines (Google and Yahoo),
then I didn't meet the using of other chars, so it's not known if
search engines support the indexing of such chars in name of domains.
But potentially bots of search engines can support them (GoogleBot,
Yahoo! Slurp and others).

Also I found, that possibility of this attack also depends on settings
of web server, which must support any domains. So this attack can be
conducted not at any web site, but only at appropriately configured
ones.

Particularly besides www.tab.net.ua, this attack is also possible at
www.engadget.com and www.poweroptimizer.com.

URL Spoofing:

Indexed by Google:

http://www.kp.ruget.com.20www.engadget.com
Scheme: http://www.site.com%20www.engadget.com

Indexed by Yahoo:

http://www.energyopt.com.%20www.poweroptimizer.com
Scheme: http://www.site.com%20www.poweroptimizer.com

Vulnerable is GoogleBot.

Vulnerable is Yahoo! Slurp.

Vulnerable are Mozilla 1.7.x and previous versions.

Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.0.6001.18000) and previous versions. And potentially IE8.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/3096/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua