MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine
22:57 15.06.2007
New bonus vulnerability in Google. In this case vulnerability not directly at Google’s site, like at MOSEB-15: Vulnerabilities at images.google.com, but in his search engine called Google Custom Search Engine (also known as Google Co-op).
The hole are in Google Custom Search Engine, which can be used as local engine for site or as custom engine (for special purposes). And at present this engine are using by a lot of sites (and so many of them can be vulnerable).
Searching in Google (aka Google Hacking) allow you to quickly find sites which are using Google Custom Search Engine and find holes in them. So every user of this engine need to attend to security.
The vulnerability is in q parameter (in main script):
http://site/search.php?q=%3C%2Ftitle%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
As an examples I’ll show you three sites jumpup.intuit.com (hole found 25.10.2006), ukrbs.org.ua (hole found 17.04.2007) and progler.ru (hole found 15.06.2007) with this custom search engine.
XSS:
* alert(document.cookie)
* redirector
* html injection (PR4)
Also page with html injection hole has PR4. It will be interesting for black seo guys.
XSS:
* alert(document.cookie)
* redirector
* html injection
XSS:
* alert(document.cookie)
* redirector
* html injection
The main question: is Google thinking about its users’ security? Not too much. Like in case of others local engines Yandex in MOSEB-07 Bonus and AltaVista in MOSEB-12 Bonus. Vendors have a lot of places for improvement.
Moral #1: searching in custom engines can be dangerous.
Moral #2: if you are using local (custom) search engine at your site (even from famous vendor), always attend to security audit of the site.
Moral #3: if you are top search engine vendor you need to attend to security of your applications and not to put users of your services into the risk.