____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-1998-0005 Release Date: 1998.12.05 Title: Yahoo Search Engine - Search Engine Reply Manipulation Application/OS: Yahoo Search Engine Topic: The Yahoo Search Engine can be manipulated to return arbitrary HTML as part of the search response. Vendor Status: No Response Attributes: Data Injection Advisory URL: http://www.caughq.org/advisories/CAU-1998-0005.txt Author/Email: Puff - puff@pagez.net Protocol - protocol@pagez.net I)ruid (druid@caughq.org) ===============/======================================================== Problem ------- The search engine used by www.yahoo.com (and many other sites) does not parse out HTML entered into the search form field. The search engine places the full contents of the search form field directly into the page. Example ------- Open a web browser to http://www.yahoo.com In the search form field, enter the following:

Hello World!

Also, Check out this link to see more fun to be had using layers: http://www.caughq.org/cgi-bin/CAU/yahoofun Technical Explanation --------------------- The yahoo search engine does not parse text entered into it's search form field like most other search engines do. Most other search engines will parse out HTML so that it is not shown in the page and interpreted by the browser as HTML. Yahoo's search engine parses the text entered into the search form field as standard for the command line to the search engine, but then parses it back into interpreted HTML before sending it to the browser that requested it. Solution -------- The only version of this search engine that has been tested is the one being currently used at www.yahoo.com. If the version of this search engine you are using is vulnerable, wait until a patch or a new version is released, then upgrade. How To Exploit -------------- To exploit this, you can do one of two things. Simply go to the page with the search form field on it and manually type in the HTML you want to enter into the results page, or build a link with the command line for the CGI as part of the link on a webpage, or email the link to a friend. We'll let you figure out how to build the command line yourselves. Just think what you can do with webservers that have SSI enabled.