Paid Advertising
web application security lab

Another XSS In Google Search Appliance

$30,000 and vulnerabilities to boot! Google’s search appliance appears to be vulnerable to another XSS vulnerability, according to Mustlive’s disclosure. It comes complete with a Google dork. Not good. Mustlive has contacted Google, who to my knowledge has not let their customers know that they are vulnerable - if I’m wrong, someone please correct me.

Here are a few examples: and

This obviously puts any site that uses Google’s search appliance with this particular vulnerability in it at risk (there are, as of this writing 186,000 listings on the Google dork). Time to patch up - once Google comes out with one, that is.

19 Responses to “Another XSS In Google Search Appliance”

  1. MustLive Says:

    RSnake, - it is holes at MI5 site, and my disclosure is ;-).

    And for me Google show up to 195000 sites in my dork :-). Yes, Google need to fix these XSS holes.

    For current time (after almost one day) they didn’t answer me, except default answer. Google need to work faster, a lot of people are using their products.

  2. RSnake Says:

    Whoops - updated with the correct URL. Sorry, Mustlive!

  3. hoath Says:

    Best example is with Mustlive’s comment: sweet irony at MI5’s hole!

    The moral could be “never trust another company with something sensitive” (but i can’t remember it exactly); the same is with banks (look at the Northern Rock situation in the UK)

    Then again..

  4. MustLive Says:


    Just before holes at MI5’s site, I wrote about hole at MI6’s site ( ;-)

    The hole also in local search engine, not Google’s engine this time, but still vulnerable. So every site’s search engine (and Google Search Appliance in particular) and whole sites of people who take care about its security, and sites of special services especially, need to be security audited. MI5 and MI6 need to attend to security of their sites.

  5. maluc Says:

    Nice work MustLive ^^

    trying to get things done in utf7 was a pain in the ass..

  6. hackathology Says:

    Nice work MustLive

  7. 0kn0ck Says:

    Hilarious and very good too. Goooooooooooooooogle.

  8. Dhaval Shah (aka dkcreatto) Says:

    MustLive can you tell me which lang you use in blog… need for babelfishing :=)

  9. maluc Says:

    the .ua TLD of his website would suggest it’s ukrainian .. but i can’t tell languages with the cyrillic alphabet apart - all russian to me :x

  10. digi Says:

    Not all Google appliances seem to be vulnerable as advertised (although problematic nonetheless)

    /export/hda3/4.6.4/local/conf/frontends/x/domain_filter (No such file or directory)

    Is above output a product of not configuring a filter?

    That using the stated: /search?ie=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&site=x&output=xml_no_dtd’&client=x&proxystylesheet=x’

    Anyone have a unit they can pull apart?

  11. RSnake Says:

    @digi - Hahah… if I did I probably wouldn’t be willing to sacrifice $30k ;)

  12. SilentBob Says:

    FYI, the code is POC code
    the x should be replaced with whatever the filter name is on the site you are testing…
    look at the mi5 examples

    are all changed to


    This is not to say that all appliances are vulnerable…the ones I have been checking return:
    “Temporary server error. Try again in a minute.”

  13. digi Says:

    Config changed in my previous example to protect the guilty (I didn’t use X’s really, although, I fat fingered my filter which led to other interesting things).

    Configuring per spec, results in your message. If you configured the way I did initially, you find that you can reproduce your temporary server error elsewhere in the string, indicating to me more issues exist in a proven vulnerable device.

    I wonder if this bug has been quietly fixed on newer devices. I can’t reproduce on this one.

  14. gsaXpert Says:

    Well, maybe it is only affecting Google Minis.

    IŽve done several attempts to GSAs and it didnŽt work.
    You can check the software version (if avaliable) on port 8000.

    York website is using google mini accordng to its website and the icaan can be checked here:
    altough it states Google Search Appliance, the software version says its a Mini.

    IŽll keep my research on.

  15. MustLive Says:

    Dhaval Shah and guys, at my site I use Ukrainian language. If you need to translate my posts you can use services which support ukr-eng translation (like

    gsaXpert, you need to check (if you want) what type of Google search is vulnerable Google Mini or Google Search Appliance (or both). Because as I found on web sites where I tested these XSS holes (mi5, icaan and york) they are using GSA.

    Like icaan’ site tell (, they are using GSA ( as it written on pages (but they have Mini logo). And york’s site tell ( that they are using Google Search Appliance. So I wrote that holes are in GSA.

  16. gsaXpert Says:


    First of all, youŽve done a pretty impressive work finding those bugs.

    IŽve done a deeper research and IŽve found that the logo determines wich product is.

    You can check it at:
    (Google minis)

    (Google Search Appliances)

    On the York website you can find:
    Where it states: “The University uses Google Mini to index information”

    Thanks for your help!



  17. gsaXpert Says:

    At last, Google officially recognized this bug.

    Guess what? it only affects Mini systems.


  18. RSnake Says:

    Twelve days to admit it’s a problem. Interesting. Still waiting on the google desktop issues to come back - they’re still looking into those apparently. Best and the brightest!

  19. Robert Kim Says:

    I have done some few tests and I can reassure you that these vulnerabilities are taken care of on all version of enterprise search appliance by Google ;)