NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

Date: 30th December 2005
Risk: High

A researcher at Metasploit has discovered multiple flaws in Google's Mini Search Appliance. These include Cross Site Scripting and System Access, amongst others.

Original Extract:

The Google Search Appliance allows customization of the search interface through XSLT style sheets. Certain versions of the appliance allow a remote URL to be supplied as the path to the XSLT style sheet. This feature can be abused to perform cross-site scripting (XSS), file discovery, service enumeration, and arbitrary command execution.

The Google Search Appliance search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results. This variable can be a local file name or a HTTP URL.

Error Message XSS

A cross-site scripting flaw can be exploited by providing a snippet of malicious JavaScript code for the proxystylesheet variable. The appliance will look for a local file by that name and then display an error message containing the JavaScript code.

File Existence Verification

It is possible to determine the existence of any file on the system by using a relative path from the style sheet directory. The error message returned from the server will disclose whether or not a valid path was provided. This can be used to fingerprint the base operating system and kernel version.

Service Discovery

A rudimentary port scan can be performed by requesting HTTP URLs that point to a target system and individual ports on that system. The error message returned from the server will differ between open and closed ports. The appliance will ignore requests to connect back to itself, but no other restrictions apply.

XSLT Style Sheet XSS

A cross-site scripting flaw can be exploited by creating a malicious XSLT style sheet and specifying the URL to this style sheet in the proxystylesheet parameter. The appliance will download the style sheet and present the malicious Javascript to the user who executed the search.

XSLT Java Code Execution

It is possible to execute arbitrary Java class methods on the appliance by creating a malicious XSLT style sheet. System commands can be executed as an unprivileged user, which combined with the vulnerable kernel version, can lead to a remote root shell.

References

http://metasploit.com/research/vulns/google_proxystylesheet/