Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17487
HistoryJul 13, 2007 - 12:00 a.m.

MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine

2007-07-1300:00:00
vulners.com
28

MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine
22:57 15.06.2007

New bonus vulnerability in Google. In this case vulnerability not directly at Google’s site, like at MOSEB-15: Vulnerabilities at images.google.com, but in his search engine called Google Custom Search Engine (also known as Google Co-op).

The hole are in Google Custom Search Engine, which can be used as local engine for site or as custom engine (for special purposes). And at present this engine are using by a lot of sites (and so many of them can be vulnerable).

Searching in Google (aka Google Hacking) allow you to quickly find sites which are using Google Custom Search Engine and find holes in them. So every user of this engine need to attend to security.

The vulnerability is in q parameter (in main script):
http://site/search.php?q=%3C%2Ftitle%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E

As an examples I’ll show you three sites jumpup.intuit.com (hole found 25.10.2006), ukrbs.org.ua (hole found 17.04.2007) and progler.ru (hole found 15.06.2007) with this custom search engine.

http://jumpup.intuit.com

XSS:

* alert(document.cookie)
* redirector
* html injection (PR4)

Also page with html injection hole has PR4. It will be interesting for black seo guys.

http://ukrbs.org.ua

XSS:

* alert(document.cookie)
* redirector
* html injection

http://progler.ru

XSS:

* alert(document.cookie)
* redirector
* html injection

The main question: is Google thinking about its users’ security? Not too much. Like in case of others local engines Yandex in MOSEB-07 Bonus and AltaVista in MOSEB-12 Bonus. Vendors have a lot of places for improvement.

Moral #1: searching in custom engines can be dangerous.

Moral #2: if you are using local (custom) search engine at your site (even from famous vendor), always attend to security audit of the site.

Moral #3: if you are top search engine vendor you need to attend to security of your applications and not to put users of your services into the risk.