September 2007

Issued: 26/09/07

Overview

On the 18th September 2007, a Ukrainian Website reported that a Cross Site Scripting (XSS) vulnerability existed in the Google Search Application. The Google Search Application can be used for searching a local website, and is widely used on Internet facing websites to provide search functionality both internally and externally.

http://www.xssed.com/news/40/Google_Search_Appliance_is_vulnerable_to_XSS/

Cross Site Scripting (XSS)

XSS is a common vulnerability that could allow malicious content to be delivered by an attacker whilst spoofing a legitimate source. Examples of an XSS vulnerability can be used for malicious activity include:

Attacking other users

An attacker could create a malicious web link that appears to be legitimate, and distribute it to a large target audience (e.g. via email or message board posts). The attacker would need to convince users to visit the malicious site, and by using a .gov.uk URL it can add significant credibility to this, as it appears to be hosted at a legitimate, trusted domain. Anyone that follows the link would load a webpage containing malicious code. This is then executed on the local machine utilising vulnerabilities in the browser (see Appendix A) allowing an attacker to take control of the local machine.

Phishing attacks

An attacker could send out a crafted email that, using social engineering techniques convinces a user to visit a website. The link that the user clicks however directs them to a site that the attacker has crafted to look authentic. This site encourages the user to provide personal information, which is then submitted to a site the attacker controls.

Website defacement

Using XSS it could be possible for an attacker to alter the content of a web page. This could include altering text as well as the addition of damaging or defamatory statements. For example, an attacker could add a political statement, or generally deface the site.

How this affects the Google Search Application

The Google Search Application is vulnerable to the above mentioned XSS vulnerabilities. This means that a vulnerable website could be used to deliver malicious content to an end user.

There are also more advanced attacks possible using XSS, including persisting XSS code across sites, attacking intranet sites and proxy browsing. However at this time it is not thought that the Google Search Application is vulnerable to these advanced XSS attacks.

Mitigation Advice

GovCertUK advises that the Google Search Application be completely disabled until Google issue a patch to resolve this vulnerability.

In addition to this there are steps that should be taken to prevent further XSS exploitation:

All user input should be validated for potentially malicious input. For example, an input field for a telephone number should be validated to remove all non-numeric characters.

All user input should be encoded into HTML. This prevents special characters, such as ‘&’ or ‘<’, from being interpreted as HTML itself.

Departments are reminded that proper content filtering will also help prevent XSS and other vulnerabilities.

Appendix A

There are various browser vulnerabilities that exist that could allow an attacker to gain control of the user’s machine. Common vulnerabilities include:

The RDS.Dataspace vulnerability (MS06-014)
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

The VML vulnerability (MS06-055)
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

The ANI vulnerability (MS07-017)
http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.