MOSEB-23 Bonus: Vulnerabilities at search.mywebsearch.com

17:51 24.06.2007

New bonus vulnerabilities in MOSEB. Next participant of the project is My Web Search engine. It is one of the popular meta search engines (in USA). My Web Search is a clone My Search which is a clone of My Way (these three engines are clones) and they all belong to Ask.com. They like to make clones. It is clone wars :D .

The vulnerabilities are at My Web Search (search.mywebsearch.com) in search results. These Cross-Site Scripting holes (2 XSS and 1 XSS in DOM) I found 31.05.2007. This holes are similar to such in MOSEB-23: Vulnerabilities at www.mysearch.com.

XSS:

The vulnerabilities are in st, ptnrS and tpr parameters:
http://search.mywebsearch.com/mywebsearch/AJnews.jhtml?st=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Moral #1: meta searching can be risky.

Moral #2: making clone engines is risky, because it’s harder to make three engines secure than one. So better to have one secure engine, than three (even four with ask.com) unsecure.

Moral #3: using (and even visiting) clone search engines can be dangerous.

Note, that My Web Search engine belongs to IAC Search & Media. So Ask.com also responsible for these vulnerabilities.


Leave a Reply

You must be logged in to post a comment.