NIST IT Security: Printer Friendly

LAN_PRINT_135: Google Search Appliance Vulnerable to Cross-Site Scripting (XSS)
(LAN_PRINT_86 Vulnerabilities)
LAN_PRINT_94 NIST.org
Sunday 26 November 2006 - 20:07:29

What do several Banks, Credit Unions, Universities, countless business websites, dozens of government websites, and Google all have in common? A new Cross-Site Scripting (XSS) vulnerability. One that affects a lot of large websites, many that are ripe for phishing exploits.

This vulnerability is in the Google Search Appliance. A self-contained little pizza box of a computer that is built from the ground up to be a search engine for a company’s website or file server. According to Google, prices for this device start at less than $2,000 and it can be up and running in less than an hour. The vulnerability was discovered by a person known by the handle, Maluc, and was first reported on ha.ckers.org. The problem involves using UTF-7 character encoding to bypass special character input handling. Normally these special characters (eg; <, > ) are either filtered out or explicitly handled as plain text so they aren't echoed back in the search results as HTML or JavaScript. I’ve been in touch with RSnake, the person that runs the ha.ckers site, and he was kind enough to send me some examples.

The examples demonstrated vulnerabilities at some major websites, including large government sites, major universities, etc. Research here has turned up several more vulnerable sites, including some very big names. We’ve reported the issue to US-CERT.GOV / CERT.ORG and to one of the affected government organizations that is in a position to get the word out. With so many financial institutions and government agencies using this appliance it is only a matter of time before this vulnerability is exploited in a large scale phishing attack. We covered several such attack scenarios in a previous XSS article a few weeks ago. But the possibilities are only limited by the imagination of the attackers.

Mitigation: Hopefully Google releases a patch soon. Otherwise, if it is possible to turn off support for UTF-7 character sets that might work (though other character sets may also allow bypass checking).

Update: According to the CNET article below Google has a workaround for this problem and has notified it's customers. We're only aware of one company that has implemented the fix. They also apparently weren't aware of the issue until we notified US-CERT and they contacted Google. Ha.ckers.org ran the story almost 5 days before that.

References:

ha.ckers.org Google Appliance Story
NIST.org XSS Article
NIST.org XSS Hall of Shame
Wikipedia on UTF-7 encoding. See the links on this page for more on character encoding.
Google Enterprise Search Appliance
NY Times / CNET

The short list of affected sites:

cunamutual.com - (Now fixed) CUNA Mutual. Provider of financial services to credit unions
search.fbi.gov
fda.gov - Food and Drug Administration
nist.gov - National Institute of Standards and Technology
stanford.edu - Standford University
unc.edu - The University of North Carolina
nhl.com - National Hockey League
ed.gov - U.S. Department of Educational
mit.edu - Massachusetts Institute of Technology

There are hundreds more.

{BLOGME}
{GOOGLESBOX=XSS}
{AMAZONPROD=1597491543}

LAN_PRINT_303NIST IT Security
( http://www.nist.org/comment.php?comment.news.184 )