Google fooled by old character sets
Websites using Google's search function or the Google Search Appliance can, under certain circumstances, be vulnerable to Cross-Site-Scripting attacks (XSS). A hacker working under the pseudonym maluc, has determined that queries can be reset to use the UTF-7 character set and thereby prevented from properly filtering the output.
The parameter oe=UTF-7 is used to command the search engine to interpret the search string as UTF-7. If the string -
is then appropriately integrated, it is also incorporated into the output of the search result and therefore cannot be executed by the user's browser.
Since Google Appliances, which touts itself as the "secure real-time search engine for corporate data," is being used in many corporate settings, the potential of this invisible hole should not be underestimated. Google itself is not vulnerable, since the search engine's pages filter the output, but a search for sites using the engine turns up scads of candidates. maluc cites the websites of the US NIST and Stanford University as examples.
Google has sent an advisory to its clients explaining the problem and providing a fix. What's embarrassing for the search engine titan is the fact that precisely this problem was reported about a year ago, at which time Google removed the flaw from its own website. Clearly they forgot to integrate the fixes into their own products.
- Widespread XSS for Google Search Appliance by maluc
- Cross-Site-Scripting: Data theft on the rebound, background article on heise Security