Month of search engine bugs humming along
Almost without notice, the ongoing month of search engine bugs is chugging along, discussing and exposing some some rather serious vulnerabilities in some of the world's most popular search engines.
The handiwork of a Ukranian hacker known as "MustLive," the project has published details on cross-site scripting and information disclosure holes haunting the likes of Google, Yahoo, MSN, Ask, Netscape and a range of meta search engines.
The hacker has shown how easy it is to manipulate search queries to inject HTML or conduct side redirection attacks.
Some of the more prominent examples include:
MOSEB-15: Vulnerabilities at Google's image search (http://images.google.com) could expose users to content spoofing and redirection attacks.
This Google search query exposes an information disclosure bug in the way Google's spider indexes Web sites. This example exposes plain-text FTP credentials of YouTube users.
MOSEB-19 demos a persistent cross-site scripting flaw in AOL's Netscape search property.
The Mamma.com meta-search engine contains several vulnerabilities that could cause HTML injection, redirection or XSS attacks.
Flaws in Yahoo and Lycos are also exposed, with demos and explanations.