I’ve just read on RSnake’s blog that MustLive, a very active the Ukrainian researcher, disclosed yet another XSS vulnerability affecting the Google Search Appliance.
The Google Search Appliance starts at $30,000, whereas the Mini starts at $1,995.
This means that about 196.000 web sites, many of them belonging to very important Universities and other public bodies, are willing to pay for putting their data and their users at risk.
Last time I checked, putting up a self-hosted search engine was not a terribly hard task, no matter if you prefer Java, PHP or just plain CGI.
When you discover your own web site is broken, do you really want to depend on someone else for a fix?
September 21st, 2007 at 9:47 pm
I understand that its a problem, but saying that anyone could write something like the Google search appliance is a huge exaggeration. Sure, you could write /a/ search engine, but it most likely wouldn’t scale or find results particularly well. The reason people by these is because they have very large data sets, not just because they have some tiny website they want to make searchable.
September 22nd, 2007 at 7:00 am
@kuza55:
I understand your point, but I deployed Lucene (my Java example above) in several mission-critical “enterprise class” environments (just to speak their lingo ;) ), and I can tell you first-hand that it scales very well, given enough iron and tuning.
You may be surprised by some random reports, but I guess the “Powered by Lucene” list could be a better argument (hint: look at the bottom, under the “W” letter).
How many organization-wide search engines do really benefit of PageRank™ or other algorithms “sensing” their content to inject the most relevant ads, anyway?
September 24th, 2007 at 10:37 am
[…] Outsourcing XSS Vulnerabilities 24 09 2007 […]
September 24th, 2007 at 1:06 pm
Wikipedia’s search is absolutely awful. Unless you know the exact term you’re looking for, and there’s an article on that term, then you might as well just go to google and include wikipedia in the search terms.
September 24th, 2007 at 7:13 pm
[…] Google Search Appliance XSS, affecting almost 200,000 paying customers of the outsourced search engine and their users: this […]
April 8th, 2008 at 4:11 pm
[…] BTW, isn’t that a Google Search Appliance? […]
April 29th, 2008 at 2:47 am
Didn’t know there were self-hosted search engines…are those vulnerabilities fix/patchable now that it’s a known issue?
May 27th, 2008 at 7:29 am
Didn’t know there were self-hosted search engines…are those vulnerabilities fix/patchable now that it’s a known issue?" - I’m not sure but we can try it anyways.