Nemesis
Our Projects
Forums
Extra
Controls
|
You Wouldn't Sue a Search Engine
We all got used to see useless links on many websites. Links nobody would ever want to click. Look at the following picture:
Someone may ask, "Why are there two searches on MPAA's website? Is there any difference between those 2?"
Searching for "test" ...
So, one search is for movie ratings (as the text says). Let's see what the other one is about. Searching again for "test"...
Interesting results. Let's click on "Full featured example", as a test.
Where is the word we searched for? Interesting address - /test/sitesold/modules/tinymce/tinymce/ - was that supposed to be public? A search for "license" lists license.txt for all installed modules. Searching for "admin" will not list any legal cases involving admins of torrent trackers, you'll get some of their admin pages listed as search results.
Here are some results for some common search keywords:
It looks like the "Search" link is one of those links nobody would ever want to click on that website. Almost any keyword returns results that are not meant to be seen by public. Do you want to find out more about their press releases ? Search for "press releases" to get pressreleaseswrong.asp.
Searching for "thank you" reveals the way MPAA fixes bugs in their website: they don't correct anything, they just rename the vulnerable file. The new name for "thank_you.asp" is: http://mpaa.org/thank_you_old_05_2009_abdferkf324934lkasdf23493243kdfer.asp.
Other search scripts found (using the keyword "search") :
Their "Google search" is shown as "Google at its best". Sounds interesting. Let's see...
Doing a test search...
Searching for <IFRAME src="http://google.com" width="100%" height="1000px"> ...
This should be called "XSS at its best".
You need to be logged in to be able to post comments
|
|
