Brandon Posted November 24, 2005 Report Share Posted November 24, 2005 Everyone's favorite technology company was given 60 business days to patch their search appliances. Unfortunately, even with the long grace period many appliances remain unpatched.Back in June security researcher H.D. Moore discovered weaknesses in the Google Search Appliance that can allow for cross-site scripting, file discovery, service enumeration, and arbitrary command execution in certain versions of the appliance. Google promptly released a patch in mid-August, however more than three months later many appliances still remain vulnerable.A small sample of 43 appliances taken this week showed that 23 remained vulnerable, 8 were patched, and the status of 12 could not be determined. If this sample is representative of all deployed Google Search Appliances, more than half may still be vulnerable. Following responsible disclosure guidelines, Moore published his findings this week. Quote Link to post Share on other sites
JDoors Posted November 24, 2005 Report Share Posted November 24, 2005 (edited) That's all WAY over my head ... Now I gotta worry about googling? What's the definition, in layman's terms, of "appliance?" Application? Such as "Local," "Images," etc.? Edited November 27, 2005 by JDoors Quote Link to post Share on other sites
Brandon Posted November 26, 2005 Author Report Share Posted November 26, 2005 Metasploit found a potential XSS vulnerability in Google's search appliance and worked with Google to get a patch issued. Details are at http://metasploit.com/research/vulns/google_proxystylesheet/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.