This method is already known on many other servers like Google Translator and other online services.
I don’t know if I might consider this to be a security issue. Let’s call it a special Bing Translator feature 🙂

Using Bing Translator service anyone can use their IP addresses as a proxy. Malicious users could use this method as a plataform to launch web attacks like (xss, sql injection, etc). Also users could use this service to visit blocked sites.

Example:

http://www.microsofttranslator.com/bv.aspx?from=en&to=en&a=http://www.davidsopas.com/XXE

I noticed that on my webserver logs that I had two requests made by 157.56.2.63 [msnbot-157-56-2-63.search.msn.com]

Other example to show the IP of the user (ip.php just shows $_SERVER[“REMOTE_ADDR”]):

http://www.microsofttranslator.com/bv.aspx?from=en&to=en&a=http://www.davidsopas.com/poc/ip.php

I notice that if you make both languages in the same pair (i.e., en-en for English to English), the translation is effectively skipped but the requested web content is still served from Microsoft servers.

Google in the past had the same issue. They fixed the pair issue part to prevent misuse of their translation service. Now in Google Translator you always need to choose a different language every time.

Leave a Reply