MOSEB-23 Bonus: Vulnerabilities at search.mywebsearch.com
17:51 24.06.2007New bonus vulnerabilities in MOSEB. Next participant of the project is My Web Search engine. It is one of the popular meta search engines (in USA). My Web Search is a clone My Search which is a clone of My Way (these three engines are clones) and they all belong to Ask.com. They like to make clones. It is clone wars .
The vulnerabilities are at My Web Search (search.mywebsearch.com) in search results. These Cross-Site Scripting holes (2 XSS and 1 XSS in DOM) I found 31.05.2007. This holes are similar to such in MOSEB-23: Vulnerabilities at www.mysearch.com.
XSS:
- alert(document.cookie)
- alert(document.cookie)
- alert(document.cookie) (DOM Based XSS)
- redirector
- html injection
The vulnerabilities are in st, ptnrS and tpr parameters:
http://search.mywebsearch.com/mywebsearch/AJnews.jhtml?st=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Moral #1: meta searching can be risky.
Moral #2: making clone engines is risky, because it’s harder to make three engines secure than one. So better to have one secure engine, than three (even four with ask.com) unsecure.
Moral #3: using (and even visiting) clone search engines can be dangerous.
Note, that My Web Search engine belongs to IAC Search & Media. So Ask.com also responsible for these vulnerabilities.