NTA Monitor

Latest News

60% of UK website tests revealed Internet encryption and cross-site scripting vulnerabilities

10th April 2008 60% of web application tests performed for UK organisations showed that their websites contain weak encryption or cross-site scripting (XSS) vulnerabilities Read More

Demilitarised Zone most secure option for BlackBerry device

28th February 2008 Recent BlackBerry testing by IT security consultancy, NTA Monitor, has revealed that organisations are still not configuring these mobile devices correctly Read More

Retailers should put security top of their Christmas list

13th November 2007 With British consumers spending more than £6.6 billion online in the last two months of last year, the 2007 festive season is set to be one of great cheer for online retailers Read More

Businesses warned not to have skeletons in cupboards

13th November 2007 For many organisations, the festive season is an opportunity to heave a corporate sigh of relief and enjoy the brief respite in frenetic business activity as countless people all over the world, go home to celebrate Christmas Read More

Date: 30th December 2005
Risk: High

A researcher at Metasploit has discovered multiple flaws in Google's Mini Search Appliance. These include Cross Site Scripting and System Access, amongst others.

Original Extract:

The Google Search Appliance allows customization of the search interface through XSLT style sheets. Certain versions of the appliance allow a remote URL to be supplied as the path to the XSLT style sheet. This feature can be abused to perform cross-site scripting (XSS), file discovery, service enumeration, and arbitrary command execution.

The Google Search Appliance search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results. This variable can be a local file name or a HTTP URL.

Error Message XSS

A cross-site scripting flaw can be exploited by providing a snippet of malicious JavaScript code for the proxystylesheet variable. The appliance will look for a local file by that name and then display an error message containing the JavaScript code.

File Existence Verification

It is possible to determine the existence of any file on the system by using a relative path from the style sheet directory. The error message returned from the server will disclose whether or not a valid path was provided. This can be used to fingerprint the base operating system and kernel version.

Service Discovery

A rudimentary port scan can be performed by requesting HTTP URLs that point to a target system and individual ports on that system. The error message returned from the server will differ between open and closed ports. The appliance will ignore requests to connect back to itself, but no other restrictions apply.

XSLT Style Sheet XSS

A cross-site scripting flaw can be exploited by creating a malicious XSLT style sheet and specifying the URL to this style sheet in the proxystylesheet parameter. The appliance will download the style sheet and present the malicious Javascript to the user who executed the search.

XSLT Java Code Execution

It is possible to execute arbitrary Java class methods on the appliance by creating a malicious XSLT style sheet. System commands can be executed as an unprivileged user, which combined with the vulnerable kernel version, can lead to a remote root shell.

References

http://metasploit.com/research/vulns/google_proxystylesheet/