CVE-2005-3757

Google Mini Search Appliance - Remote Code Execution via XSLT Style Sheet Select Attribute

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-3757. PoCs published by Metasploit, H D Moore, hdm, including Metasploit module exploits/unix/webapp/google_proxystylesheet_exec.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in the Saxon XSLT parser used by the Google Search Appliance, allowing arbitrary Java method calls via a crafted XSLT stylesheet. The exploit sets up an HTTP server to serve malicious XML data, triggering command execution on the target.

Description

The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and execute arbitrary code via dangerous Java class methods in select attribute of xsl:value-of tags in XSLT style sheets, such as (1) system-property, (2) sys:getProperty, and (3) run:exec.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappshardware
https://www.exploit-db.com/exploits/16907

This Metasploit module exploits a vulnerability in the Saxon XSLT parser used by the Google Search Appliance, allowing arbitrary Java method calls via a crafted XSLT stylesheet. The exploit sets up an HTTP server to serve malicious XML data, triggering command execution on the target.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Google Search Appliance (prior to GA-2005-08-m patch)
No auth needed
Prerequisites: Target must be able to connect back to attacker's machine · Google Search Appliance with vulnerable Saxon XSLT parser
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by H D Moore · remotehardware
https://www.exploit-db.com/exploits/1333

This exploit targets a vulnerability in the Google Search Appliance's Saxon XSLT parser, allowing arbitrary Java method execution via the ProxyStyleSheet feature. It sets up a local HTTP server to serve a malicious XSLT payload, which triggers command execution on the target appliance.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Google Search Appliance (prior to GA-2005-08-m patch)
No auth needed
Prerequisites: Target appliance must be able to connect back to the attacker's machine · HTTP listener port must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb

This Metasploit module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance, allowing arbitrary Java method calls. It leverages the 'proxystylesheet' parameter to execute commands via a malicious XSLT file hosted by the attacker.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Google Search Appliance (prior to GA-2005-08-m patch)
No auth needed
Prerequisites: Target must be able to connect back to attacker's machine · Target must be unpatched (pre-GA-2005-08-m)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17644
Exploit, Patch, Vendor Advisory x_refsource_misc
http://metasploit.com/research/vulns/google_proxystylesheet/
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/417310/30/0/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2500
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15509
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015246
Exploit, Patch vdb-entry x_refsource_osvdb
http://www.osvdb.org/20981

Scores

EPSS 0.4218
EPSS Percentile 98.5%

Details

Status published
Products (2)
google/mini_search_appliance
google/search_appliance
Published Nov 22, 2005
Tracked Since Feb 18, 2026