Google has patched several serious security flaws in Google Mini, a hardware search appliance used by medium-sized enterprises and departments within large companies.
The flaws could allow attackers to execute malicious code, carry out cross-site scripting or a port scan, or discover files on the target system, according to security researchers.

Google Mini is a scaled-down version of the enterprise-oriented Google Search Appliance, used for carrying out internal network or public website searches.

The bugs were publicly revealed on Monday by HD Moore of the Metasploit Project. Google was notified in June and released a patch to customers in August, according to Moore.

The danger originates with a feature in some versions of the appliance allowing a remote URL to be supplied as the path for an XSLT style sheet, used to customise the search interface, Metasploit said. "The Google Search Appliance search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results. This variable can be a local file name or a HTTP URL," the organisation said in its advisory.

Input to the "proxystylesheet" parameter isn't properly sanitised, allowing attackers to execute malicious script code, what's known as a cross-site scripting attack, Metasploit said. This can be carried out via the appliance's error message system, or via a malicious XSLT style sheet.

A malicious XSLT style sheet can also be used to execute malicious Java class methods on the appliance, said Metasploit. "System commands can be executed as an unprivileged user, which combined with the vulnerable kernel version, can lead to a remote root shell," the advisory said.

Other possible attacks include the ability to carry out a basic port scan, something useful for carrying out further attacks, and determining the existence of particular files on the appliance. "This can be used to fingerprint the base operating system and kernel version," Metasploit noted.

Moore said Google had been responsive and had worked quickly to fix the problems. The company asked Metasploit's researchers to sign a restrictive NDA as a condition of supplying a Google Mini unit for verifying the fixes.

"As they were written, any vulnerabilities discovered after the documents were signed could be considered confidential and restricted," Moore said in the advisory. "We declined to sign the documents and Google placed a demo unit online for verification instead."

Google said it had fixed the flaws immediately and supplied patches to affected users. No customers reported problems due to the vulnerability, according to Google.

A security flaw was revealed over the weekend in Google's Gmail service, which could have allowed attackers to take control of users' email accounts. Google downplayed the problem, saying it had posed little risk and had been patched weeks ago.