Next participant of Month of Search Engines Bugs is Google. It is the most popular search engine in the world.
The vulnerabilities are at Google Image Search (images.google.com, on others domains such as images.google.com.ua the same situation). These are Cross-Site Scripting and Content Spoofing holes which I found 03.06.2007. There were similar security issues at Yahoo in MOSEB-02 and at search.live.com (and others engines) - vulnerabilities in image search are common for search engines.
The vulnerability is in imgrefurl parameter:
I called this type of XSS attacks Remote XSS/HTML Include (in this case remote HTML including as remote XSS including are possible). First time I found this type of holes 12.11.2006 in site’s search at one site of one security company wich developed their security scanner (which is lame because not found a lot of holes at their own site) . I didn’t write about holes at that site in my news yet, because I’m very overloaded with hundreds (even thousands) of vulns which I found on sites all over the web. But I’ll certainly do it with time.
Bad guys also can make content spoofing attack with Google Image Search. Because they can spoof not just a page in image preview (imgrefurl parameter), for remote XSS/HTML inclusion as mentioned above, but also imgurl parameter. And because Google save links to images thumbnails in tbnid parameter, so it is possible to find any useful image in Google and use it for attracting users while imgrefurl and imgurl parameters can be spoofed (because they are not checking in connection with tbnid). And these parameters can be arbitrary, so attackers can create special image preview page with custom image, custom previewed html page and custom links (to image and page).
Moral #1: searching for images even in top engines can be dangerous.
Moral #2: pupular search engines need to take care of their and their users security (especially top engines).
Also I prepared another hole concerned with Google. So wait for today’s bonus post .