Design: CSS Websites

Google, the number one search engine used by Internet users, provides web developers and users certain tools for customizing searches to the user's liking.

Flower
CSS Websites Logo
 

Systems Using Google's Mini Search Appliance At Risk

Google, the number one search engine used by Internet users, provides web developers and users certain tools for customizing searches to the user's liking. While Google's reputation is nearly impeccable and its products are generally thought of as "safe", a problem first reported on June 10, 2005 causes some concern over whether such blind faith is wise.

According to The Metasploit Project, in August 2005, a patch had to be issued by Google to fix security flaws in its Mini Search Appliance. The patch, GA-2005-08-m, fixes problems with the Mini's 'proxystylesheet' implementation. By design, the Google Mini Search Appliance allows system commands and java code execution by users that would not ordinarily have such system privileges. (See Google Answers.) But, because the search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results, an opportunity for feeding the script dangerous code is presented. The malicious user can supply a variable that is either a local file name or an HTTP URL.

Researcher H. D. Moore says "This feature can be abused to perform cross-site scripting (XSS), file discovery, service enumeration, and arbitrary command execution" if the abuser chooses to use a remote URL. Moore provides an exploit example at Metasploit.com. The example shows how using a remote URL to an XSLT stylesheet could be used to obtain a root shell. Prior to Google's patch, the user executing the code did not need sufficient system rights for the code to run and no checks were made prior to execution to ensure that the URL parameter was allowable.

While Google has stated that its Mini Search Appliance poses no security issues and has been thoroughly tested, Moore performed some random testing using a Google query on "inurl:proxystylesheet". Of the 43 websites tested, 23 were confirmed vulnerable and unpatched.

More information on the patch for Google's customers who have purchased its $2995 Mini Search Appliance is available at the Google Enterprise Solutions support website. The Google support group online for Google-Mini may also shed some light into security concerns of Google's products and appropriate fixes.

About the author: Askme Blax is a writer for Askblax.com (http://www.askblax.com), an African American news and discussion website. Copyright 2005 - AskBlax

Author: Askme Blax

 

CSS Websites Logo

 
 

 

Webmaster Related Information & Resource Sites:
Domain Buffs     Parking PPC     PPC Ad Income: Website Monetization     Apache Website Hosting     Design Dirt     Dynamite Flash     Open Source Web Zine     foo site: Website Coding     php Web Development     American Webmastery     Meta Tag SEO     Target: Page 1 Search Result Rankings     Ad Working     Yahooter?    

Websites of Various Interests:
US Auto & Truck     Auto Czar     Hybrid Autos     Race Footage     HDTV WideScreen     Hi Def Discs     High-Def.Info     XBOX & PC     XBOX MC     X-Bx: XBOX Entertainment System     RFID Technology     Mom's Cuisine     Healthy Cooking: Broil.Info     Nuptial Businesses     Honorable Intent     Gunmanship         A Dog is a Man's Best Friend         Mission: Planet     Footrace.org