Bing.com Search engine, cache.aspx XSS
vendor url:http://ww.bing.com
advisore:http://lostmon.blogspot.com/2009/07/
bingcom-search-engine-cacheaspx-xss.html
vendor notify: yes vendor confirmed:yes
###########################################
Bing search engine contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does not
validate properly 'q' variable upon submission to the 'cache.aspx'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading to
a loss of integrity.
#########
solution:
##########
No Solution At this Time.
but microsoft planing to patch it
in the new release code from bing.
#############
timeline:
#############
discovered: 08-jun-2009
vendor notified: 11 jun 2009
vendor response: 11 jun 2009
vendor last response: 30 jun 2009
disclosure: 29 jul 2009
################ End #####################
thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...