An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to gostips@gmail.com .

November 20, 2006

XSS Vulnerability in Google Search Appliance



Maluc found a cross-site scripting vulnerability in Google Search Appliance, a box that indexes documents from intranet and web sites. If you set the output encoding to UTF-7, the appliance doesn't validate the query and you can pass JavaScript.

Here's one example for Stanford's site that uses Google Search Appliance: stanford.edu.

This blog is not affiliated with Google.