RSS Feed
Twitter
November 20th, 2006 
QuadsZilla Rsnake at hackers is reporting:
maluc has discovered that if you keep [Google Sarch Appliance] on your domain your whole domain is at risk of information leakage, session theft, etc…. The hole uses the selected encoding issue I’ve been talking about, but instead of using the US-ASCII encoding issue, he used the UTF-7 hole. Fantastic! He also disclosed a number of vulnerable websites including Stanford, the Food and Drug Administration and the National Institute of Standards and Technology.
It’s an XSS in most sites that uses the google search API with it’s generic results template. The api allows any encoding method to be used for output, and doesn’t sanitize until after the page has been converted.
Google.com uses the same API but it’s unaffected because it santizes in UTF8 before converting to the output encoding. It will be interesting to see how quickly this can be patched.
Posted in 
Turns out . . . pretty quickly:
http://news.zdnet.co.uk/security/0,1000000189,39284889,00.htm
Google sent an advisory to all customers on 22 November, the spokesman said. The vulnerability will also be addressed in the next release of the products, he said.