Re: Google lists vulnerable sites.

[Benjamin Krueger <benjamin () seattleFenix net>]

* silencedscream () hotmail com (silencedscream () hotmail com) [020705 15:24]:
> Let me first say that I do now know if this issue has been brought to 
> light before or in what detail it might have been discussed.  On to the 
> show...
>
> The problem I have found is that google may be archiving too much 
> information on sites.  By carefully crafting search strings you can 
> reliably return sites who's root, cgi-bin, bin, admin, etc... directories 
> are exposed and unprotected.  The first thing you must do is select the 
> name of a commonnly protected directory (I will use admin in this 
> example).  The second is to think of a filetype that only the 
> administrator and not the average web surfer would have access to.  
> Things like bin, txt, or htm are no good because they are commonly made 
> available in other directories for legitimate reasons.  For this example 
> I choose to go with .db.  Now to create the search string.
>
> inurl:admin filetype:db
> The above gives us,
> http://www.google.com/search?sourceid=navclient&q=inurl%3Aadmin+filetype%
> 3Adb
>
> The above search sets the requirments that admin must be in the url and 
> only sites that contain a file of the type .db are returned.
>
> Now most of the links you click on will take you to some meaningless url 
> or email database but if for exaple you had
>
> www.somesite.org/admin/cgi-bin/url.db
>
> and you removed the url.db from the link you are now free to traverse 
> through there directories and files.  By useing carefully selected search 
> terms like the ones above I have about a 90-95% success rate of 
> vulnerable sites returned.  The trick is finding the right directory and 
> filetypes to use in the search.

  This has been discussed before, and even caused a flurry of activity when
folks started wandering through the catacombs of google and finding secret and
confidential information in Microsoft Word documents, password lists, and
other security smashing goodies.

  The problem here is not google's research, but rather the insecurity of
said websites. Google is an inanimate automaton and, as nifty as that is, it
cannot judge whether you actually meant to publish a Word document with all of
your trade secrets, or a visible directory that allows an attacker to do 
naughty things.

  If you want your secrets to remain secret, don't publish them on a public
webserver. If you don't want your webserver to be insecure, then secure it. It
really is that simple. =)

-- 
Benjamin Krueger

"Life is far too important a thing ever to talk seriously about."
- Oscar Wilde (1854 - 1900)
----------------------------------------------------------------
Send mail w/ subject 'send public key' or query for (0x251A4B18)
Fingerprint = A642 F299 C1C1 C828 F186  A851 CFF0 7711 251A 4B18