Is it wrong to laugh (was Re: Google Code Search)

Andy Armstrong andy at hexten.net
Mon Oct 9 12:22:33 BST 2006 

From:

http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,198/

or

http://lyxus.net/esm if that wraps

> It has come to our attention that Google has released a new  
> product, Google Code Search, that is capable of indexing and  
> crawling through archive files stored in the public directories of  
> web servers. We are reporting this as a security advisory because  
> we have discovered that some site administrators are storing  
> archives / backups of their website in the web root. Because of  
> this, Google Code Search is able to crawl the archives and read  
> unparsed PHP files as if they were plain text. This has resulted in  
> the disclosure of some sensitive information including MySQL  
> passwords and SMTP credentials.
>
> We felt that it was necessary to release a general advisory now in  
> order to warn the sites that have been exposed as well as to  
> protect and educate our users on some best practices in order to  
> keep your site secure.
>
> 1. Never store a backup or archived version of your website in a  
> web server’s public readable directories.
> 2. Do not leave files that you do not want to be read/indexed/ 
> searched/downloaded in the web root.
> 3. If it is absolutely necessary, make your hosting provider  
> disable directory index generation for that directory.*
> 4. Password protect directories that contain sensitive information.
>
> Futhermore, if you think your site’s login credentials may have  
> been compromised in this way, please remove the backups / archives  
> stored in the web root, change all of the associated passwords, and  
> if necessary, ask your hosting provider to restore your site from a  
> previous backup and be sure that they clean up after themselves and  
> remove the archive that they used to restore your site.
>
> If you would like more proactive protection against the indexing  
> and downloading of related archives, please see this thread in the  
> Joomla! Security Forums where some discussion is being held on how  
> to protect yourself from these problems. http://forum.joomla.org/ 
> index.php/topic,101880.0.html
>
> * Directory Indexing is a feature of mod_dir, an Apache module that  
> will generate a list of all files in a directory if there is no  
> index.html/php/etc file found in that directory. This is most  
> likely how the archives are being found by Google Code Search.
-- 
Andy Armstrong, hexten.net

More information about the london.pm mailing list