Is it wrong to laugh (was Re: Google Code Search)
andy at hexten.net
Mon Oct 9 12:22:33 BST 2006
http://lyxus.net/esm if that wraps
> It has come to our attention that Google has released a new
> product, Google Code Search, that is capable of indexing and
> crawling through archive files stored in the public directories of
> web servers. We are reporting this as a security advisory because
> we have discovered that some site administrators are storing
> archives / backups of their website in the web root. Because of
> this, Google Code Search is able to crawl the archives and read
> unparsed PHP files as if they were plain text. This has resulted in
> the disclosure of some sensitive information including MySQL
> passwords and SMTP credentials.
> We felt that it was necessary to release a general advisory now in
> order to warn the sites that have been exposed as well as to
> protect and educate our users on some best practices in order to
> keep your site secure.
> 1. Never store a backup or archived version of your website in a
> web server’s public readable directories.
> 2. Do not leave files that you do not want to be read/indexed/
> searched/downloaded in the web root.
> 3. If it is absolutely necessary, make your hosting provider
> disable directory index generation for that directory.*
> 4. Password protect directories that contain sensitive information.
> Futhermore, if you think your site’s login credentials may have
> been compromised in this way, please remove the backups / archives
> stored in the web root, change all of the associated passwords, and
> if necessary, ask your hosting provider to restore your site from a
> previous backup and be sure that they clean up after themselves and
> remove the archive that they used to restore your site.
> If you would like more proactive protection against the indexing
> and downloading of related archives, please see this thread in the
> Joomla! Security Forums where some discussion is being held on how
> to protect yourself from these problems. http://forum.joomla.org/
> * Directory Indexing is a feature of mod_dir, an Apache module that
> will generate a list of all files in a directory if there is no
> index.html/php/etc file found in that directory. This is most
> likely how the archives are being found by Google Code Search.
Andy Armstrong, hexten.net
More information about the london.pm