I've just read on RSnake's blog that MustLive, a very active the Ukrainian researcher, disclosed yet another XSS vulnerability affecting the Google Search Appliance.

The Google Search Appliance starts at $30,000, whereas the Mini starts at $1,995.

This means that about 196.000 web sites, many of them belonging to very important Universities and other public bodies, are willing to pay for putting their data and their users at risk.

Last time I checked, putting up a self-hosted search engine was not a terribly hard task, no matter if you prefer Java, PHP or just plain CGI.
When you discover your own web site is broken, do you really want to depend on someone else for a fix?

9 Responses to “Outsourcing XSS Vulnerabilities”

  1. #1 kuza55 says:

    I understand that its a problem, but saying that anyone could write something like the Google search appliance is a huge exaggeration. Sure, you could write /a/ search engine, but it most likely wouldn't scale or find results particularly well. The reason people by these is because they have very large data sets, not just because they have some tiny website they want to make searchable.

  2. #2 Giorgio says:

    @kuza55:
    I understand your point, but I deployed Lucene (my Java example above) in several mission-critical "enterprise class" environments (just to speak their lingo ;) ), and I can tell you first-hand that it scales very well, given enough iron and tuning.
    You may be surprised by some random reports, but I guess the "Powered by Lucene" list could be a better argument (hint: look at the bottom, under the "W" letter).

    How many organization-wide search engines do really benefit of PageRank™ or other algorithms "sensing" their content to inject the most relevant ads, anyway?

  3. #3 hackademix.net » GoogHOle (XSS pwning GMail, Picasa and almost 200K customers) says:

    [...] Outsourcing XSS Vulnerabilities 24 09 2007 [...]

  4. #4 jday says:

    Wikipedia's search is absolutely awful. Unless you know the exact term you're looking for, and there's an article on that term, then you might as well just go to google and include wikipedia in the search terms.

  5. #5 DigitMemo.com » Multi Google Security Holes Revealed says:

    [...] Google Search Appliance XSS, affecting almost 200,000 paying customers of the outsourced search engine and their users: this [...]

  6. #6 hackademix.net » Symantec Vulnerabilities and Hard Things To Do says:

    [...] BTW, isn’t that a Google Search Appliance? [...]

  7. #7 Outsourcing Delegation Guru says:

    Didn't know there were self-hosted search engines...are those vulnerabilities fix/patchable now that it's a known issue?

  8. #8 outsourcing says:

    Didn’t know there were self-hosted search engines…are those vulnerabilities fix/patchable now that it’s a known issue?" - I'm not sure but we can try it anyways.

  9. #9 Maria Fernandez says:

    Clients should be more careful about the SEO that they use. Google may be the number one Search tool at the present but that doesn't mean that they are an exception to the said cases. Investors are gambling their businesses by using SEO and these vulnerabilities can cause a major effect on their business

Bad Behavior has blocked 2242 access attempts in the last 7 days.