Overview
A cross-site scripting vulnerability exists in the Google Desktop Search application. This vulnerability may allow an attacker to take any action on a vulnerable system that the Google Desktop Search can.
Description
Google Desktop Search is a desktop search program that is integrated into the Google search engine. Google Desktop Search indexes the user's local hard drive, and allows the results to be searched from a browser. The Google Desktop Search program contains a cross-site scripting vulnerability in the under parameter. This vulnerability occurs because the Google Desktop Search engine fails to properly sanitize user input. |
Impact
A remote unauthenticated attacker may be able to perform any action that the Google Desktop Search engine is capable of performing. This includes executing programs that are already on a vulnerable system, searching and viewing files and exfiltrating sensitive data. |
Solution
Upgrade |
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
- http://desktop.google.com/
- http://desktop.google.com/support/bin/answer.py?answer=15935&topic=95
- http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf
- http://www.cert.org/tech_tips/securing_browser/#how_to_secure
- http://www.cert.org/tech_tips/malicious_code_FAQ.html
- http://www.cert.org/tech_tips/securing_browser/
- https://addons.mozilla.org/
- http://news.com.com/IE+flaw+lets+intruders+into+Google+Desktop/2100-7349_3-5980623.html?part=rss&tag=5980623&subj=news
Acknowledgements
Thanks to Yair Amit, Danny Allan, and Adi Sharabani for providing information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
CVE IDs: | None |
Severity Metric: | 0.52 |
Date Public: | 2007-02-21 |
Date First Published: | 2007-02-22 |
Date Last Updated: | 2007-02-27 16:08 UTC |
Document Revision: | 54 |