There’s an interesting article on ShoeMoney that demonstrates how simple it is to explore vulnerabilities in public code using Google Code Search. The article may be of use to you if you’re in doubt about your site’s security. It also shows how incredibly easy it is to find vulnerabilities in scripts indexed by Google. In addition, here’s a few tips to help you strengthen your site’s security:
- Don’t leave backups of any of your files in plain view, e.g. a config.php.BAK file in the same file as the config.php, supposing the config is readable by everyone — at the very least, if you have to leave them in plain sight, protect the directory they’re in with something like .htaccess Password Protection. This applies especially to those who are using the Google Sitemap generator and have the option to scan the file tree enabled (because it will index files that aren’t necessarily linked to from anywhere on the web).
- Don’t display version numbers. If you’re running well-known software on your site such as phpBB, Wordpress, etc., be sure to remove any display of the current software version (it’s typically in the page footer, e.g. change “Powered by Wordpress 2.0.5″ to “Powered by Wordpress”). Searching for those ‘Powered by’ lines is the easiest way for a hacker to find sites to compromise.
- Make a global config file. If you’re designing your own dynamic pages, try to keep sensitive data in one file, e.g. config.php rather than creating database connections manually in several PHP files — especially if you’re the kind of guy who edits a live site manually and might make temporary backups. If, say, listitems.php.bak was viewed from somewhere else, hackers wouldn’t be able to obtain login credentials by looking at the source (note that hackers can still find XSS/SQL Inject vulnerabilities if you leave them in plain view). It is rather self-explanatory why you should not leave backups of your config.php file lying around.
- Limit your database access. If you’re running your web server on the same server as your database server, limit database access to localhost/127.0.0.1 only. If a hacker somehow acquires your login credentials, he can’t do much with it.
- Ensure your Apache handlers are in place. Verify that all dynamic scripts are actually being processed on your server rather than output in plain text. If you need to make backups of your scripts, keep the original extension:
BAD: listitems.php~ - listitems.php.bak
GOOD: listitems.bak.php - listitems.old.php
Just for clarification: The Google Sitemap Generator, Google Search or Google Code Search can’t read your code unless it is being output as plain text - also, the Sitemap Generator does not read the contents of your files, it merely compiles a list of links that the Google Spider then crawls.
Related Posts
- Sick of Your Slow Internet Connection? Use OpenDNS!
- Parallel Universes
- Happy Valentines Day Googe
- WordPress Plugins a Site Wouldn’t Function Without
- Back on Track
- How To: Make Search Engines Like Your WordPress Blog
- Staying Anonymous Online
- How To: Set Up Ubuntu Linux 6.06 LTS LAMP Server - Part 4
- I Ate a Mint Too
Seemingly straightforward but I admit I forgot about a few of those “rules”
cheers!
January 4th, 2007, at 6:33 pm #