"In the project took part 33 search engines (30 web engines and 3 local
engines) of 19 vendors, some vendors have several engines. The list of
project’s participants (in order of appearance): Meta, Yahoo, HotBot,
Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search
Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local
engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local
engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile,
AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory
Project), InfoSpace, Euroseek, Kelkoo, Excite.
Altogether there were published 104 vulnerabilities in
mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML
Injection), Full path disclosure, Content Spoofing and Information
disclosure vulnerabilities. It is without taking into account
redirectors in search engines (altogether there were published 23
redirectors).
Results of the projects: fixed 44 vulnerabilities from 104
(without taking into account redirectors). It is 42,31% fixed
vulnerabilities. Owners of search engines have a place for improvements
of their engines’ security.
Note, that from all search engines vendors only two thanked me
(from 19 vendors of 33 search engines), for time that I spent on them,
for searching vulnerabilities in their systems and for helping of
improvement of their engines’ security (these were Rambler and Ezilon).
But all others owners of search engines even didn’t think (were lazy)
to do that. That is very unethical from their side and they need to
work under their ethic and culture."
Article Link: http://websecurity.com.ua/1114/
