Google API Vulnerable To Cross-Site Scripting

    November 29, 2005
    WebProNews Staff

Security advisory firm Secunia reported a cross-site scripting vulnerability in the Google API Search Engine Script version 1.x, and confirmed it does exist in 1.3.1.

Secunia referenced a vulnerability report on the Unsecured Systems blog describing the flaw, which had not been patched at press time.

The blog described the vulnerability, which Secunia tested and found it does exist:

Input passed to the “REQ” parameter in “index.php” when performing a search isn’t properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.


Secunia has rated the vulnerability as “less critical.” The vendor, WWWSearchSolutions, will have to update the source code to fix the issue; developers using the script should check the website for a corrected version.

David Utter is a staff writer for WebProNews covering technology and business. Email him here.