 Google Mini Search Appliance "ie" XSS Vulnerability
Friday, 12 October 2007Vendor: Google
Description:
A vulnerability has been reported in Google Mini Search Appliance, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "ie" parameter when performing a search is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Example:
http://[site]/search?ie=[code]&site=x&output=xml_no_dtd'&client=x&proxystylesheet=x'
The vulnerability affects Google Mini Search Appliance version 3.4.14.
Solution:
Apply the workaround provided in the vendor advisory (customer access required).
https://support.google.com/enterprise/doc/mini/advisories/ga-2007-09-m.html
Provided and/or discovered by:
Websecurity
Original Advisories:
Google:
https://support.google.com/enterprise/doc/mini/advisories/ga-2007-09-m.html
Websecurity:
http://websecurity.com.ua/1368/
Secunia:
http://secunia.com/advisories/26946/
Related News:
http://www.xssed.com/news/41/A_new_critical_Google_XSS_vulnerability_promptly_corrected/
Share this content:
|
|---|
