Welcome to Google Enterprise Support
 

Google Advisory GA-2007-09-m

Google Mini: Cross-site scripting vulnerabilities with search parameters

Release date: Sept 25, 2007

Severity: Medium

Systems: This advisory applies to Google Mini (series-MID) version 3.4.14

Overview

A security vulnerability has been found in the Google Mini (series-MID), and Google advises you to follow the instructions in this document. This vulnerability is more pronounced for deployments in which the Google Mini serves results to a public web site.

I. Description

This vulnerability to cross-site scripting attacks affects all customers of Google Mini (series-MID) version 3.4.14. We recommend all mini customers using this version to apply the patch provided by Google.

To verify if your mini needs to be patched, enter the following url into any browser and replace "minihostname" with your actual mini hostname:

 http://minihostname/search?proxystylesheet='&output=xml_no_dtd'&q=&ie=%22%3E%3Cscript%3Ealert(%22test%22)%3C/script%3E 

If you see a popup box, your mini needs to be patched.

This vulnerability is logged as issue #862237 in Google's issues database.

II. Impact

For general information about this type of problem, see Google results for "cross-site scripting".

If your appliance serves search results over the Internet, this vulnerability could be exploited by Internet users who have access to search results. If your Google Mini serves results over a protected intranet, this vulnerability could be exploited by any user who has access to search results.

III. Fix

Install Patch 18 for Google Mini (series-MID). Details are available on the Mini Updates page.