Multiple improper error handling vulnerabilities were identified as affecting Security Console/ Admin Console (build 6_24) and Message Centre II (build 6_24) services. When exploited, such vulnerabilities could lead to disclosing implementation details, such as resource's location on the server's file system, products and API versions, internal code, etc.
An attacker could gather such information and use it for devising further exploits (eg. SQL Injection - see MVSA-10-001 advisory).
By providing malformed values for various parameters, Security Console/Admin Console and Message Centre II services return detailed errors exposing implementation details.
Security Console (Admin Console)
Message Centre II
Security Console service of Google Message Security SaaS build 6_24 (January 2010).
Message Center II service of Google Message Security SaaS build 6_24 (January 2010).
Google fixed the issues in Security Console build 6_25 (February 2010) and Message Center II build 6_25 (February 2010).
January 24: Vulnerabilities discovered and documented
Dr. Marian Ventuneac
Security Advisories >