Originally published December 18 2005
Flaws in Google Mini patched
by Mike Adams, the Health Ranger, NaturalNews Editor
Google Mini, a hardware search appliance, had several flaws that have now been patched. The flaws could have allowed attacks, but Google said it fixed the flaws immediately and supplied patches to users.
Google has patched several serious security flaws in Google Mini, a hardware search appliance used by medium-sized enterprises and departments within large companies.
The flaws could allow attackers to execute malicious code, carry out cross-site scripting or a port scan, or discover files on the target system, according to security researchers.
Google Mini is a scaled-down version of the enterprise-oriented Google Search Appliance, used for carrying out internal network or public website searches.
The bugs were publicly revealed on Monday by HD Moore of the Metasploit Project.
Google was notified in June and released a patch to customers in August, according to Moore.
The danger originates with a feature in some versions of the appliance allowing a remote URL to be supplied as the path for an XSLT style sheet, used to customise the search interface, Metasploit said.
"The Google Search Appliance search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results.
Input to the "proxystylesheet" parameter isn't properly sanitised, allowing attackers to execute malicious script code, what's known as a cross-site scripting attack, Metasploit said.
"System commands can be executed as an unprivileged user, which combined with the vulnerable kernel version, can lead to a remote root shell," the advisory said.
The company asked Metasploit's researchers to sign a restrictive NDA as a condition of supplying a Google Mini unit for verifying the fixes.
"As they were written, any vulnerabilities discovered after the documents were signed could be considered confidential and restricted," Moore said in the advisory.
"We declined to sign the documents and Google placed a demo unit online for verification instead."
Google said it had fixed the flaws immediately and supplied patches to affected users.
All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing LLC takes sole responsibility for all content. Truth Publishing sells no hard products and earns no money from the recommendation of products. NaturalNews.com is presented for educational and commentary purposes only and should not be construed as professional advice from any licensed practitioner. Truth Publishing assumes no responsibility for the use or misuse of this material. For the full terms of usage of this material, visit www.NaturalNews.com/terms.shtml