Back in June security researcher H.D. Moore discovered weaknesses in the Google Search Appliance that can allow for cross-site scripting, file discovery, service enumeration, and arbitrary command execution in certain versions of the appliance. Google promptly released a patch in mid-August, however more than three months later many appliances still remain vulnerable.
A small sample of 43 appliances taken this week showed that 23 remained vulnerable, 8 were patched, and the status of 12 could not be determined. If this sample is representative of all deployed Google Search Appliances, more than half may still be vulnerable. Following responsible disclosure guidelines, Moore published his findings this week.
Thanks to H.D. Moore of the Metasploit Project for suggesting this news item.
Posted by: Kelly Martin