Advertisements

 Google Search Appliance is vulnerable to XSS

Written by DP

Saturday, 22 September 2007

MustLive from websecurity.com.ua, has disclosed a cross-site scripting vulnerability in the very expensive Google Search Appliance solution for enterprises. Many high-profiled websites which use this product are currently vulnerable.

Examples:

search.nasa.gov
search.fbi.gov
www.elysee.fr
gb-server-1.mit.edu
search2.foxnews.com
www.bankrate.com
search.who.int
tampafl.gov
search.scifi.com
google.rsc.org
www.ars.usda.gov
mentalhealth.samhsa.gov
search.discovery.com
platosupport.plato.com
search.medicare.gov
www.accenture.com
search.usda.gov
search.pandemicflu.gov
search1.georgia.gov
www.nga.mil
search.mit.edu
www.energystar.gov
search.mi5.gov.uk
gsa.icann.org
search.york.ac.uk

The mi5 website and other vulnerable ones, use an old version of Google Search Appliance: ©2001 Google.

This google-dork reveals about 195.000 possibly vulnerable websites. Despite the fact that MustLive has contacted Google, rumors say that they have not yet let their customers know about the issue.


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.