What is Digg?72 Comments
- netburnr, on 10/12/2007, -2/+34Neo, how is it google's fault? Obviously this is a security problem with the various web developers out there, google is just indexing them.
- rabiddogma, on 10/12/2007, -0/+22It may be wrong for me to try to see you naked, and you may not want me to, but if you walk around your house with the drapes open and no pants on then you don't really have any grounds to complain if someone does see you naked.
- latova, on 10/12/2007, -4/+24The google spider doesn't know the difference between your blog and your passwords. They do their best to remove backdoors and so on, but ultimately you just have to becareful. Everyone makes mistakes, though. The google spider is logical and perfect, we as humans are not.
- whisperedlie, on 10/12/2007, -4/+19who cares? these are source files, not production .config files.
- somerandomnerd, on 10/12/2007, -2/+16They they shouldn't put them in public places.
- crpietschmann, on 10/12/2007, -2/+13search for "connectionstring file:web.config" and you'll find database connection strings for ASP.NET 2.0 web applications.
Below are two web.config files with passwords in them:
http://google.com/codesearch?q=+file:web.config+discountasp.net+show:5JjkFGBaf5c:qjXh1d9Z7rE:SVNCtQSrIck&sa=N&cd=1&ct=rc&cs_p=http://www.vrdotnet.com/Projects/UNeDocs/Sources/UneDocsSources.zip&cs_f=UneDocs/Src/Server/UNeDocsWebServiceLibrary/Web.config#a0
http://google.com/codesearch?q=+file:web.config+connectionstring+pwd%3D+show:CU41SOd97uE:ETRH4t2fEP4:kStCOM9rUy0&sa=N&cd=73&ct=rc&cs_p=http://media.wiley.com/product_ancillary/40/07821425/DOWNLOAD/4254code.zip&cs_f=Realtor/xmlreader/Web.config#a0 - mb309, on 12/31/2008, -0/+11That information has always been there, Google has just made it easier to find. You _probably_ just had to use a specially crafted Google search query to find them before this was released.
- FreakTrap, on 10/12/2007, -2/+12robots.txt
- maverick999, on 10/12/2007, -3/+12If you encrypt your connection strings in .NET, then this shoudln't be a problem. For anyone who doesn't know how to do this, here's a good article on it (not my blog):
http://waynester.net/blog/archive/2006/09/14/5132.aspx - eurleif, on 10/12/2007, -2/+11@maverick999:
Encryption seems like the wrong way to solve this. What's wrong with not making the configuration file Web-accessible at all? - ABadInAlbany, on 10/12/2007, -3/+12for any one who has bothered to check, few if any of these are usable.
- heysuburbia, on 10/12/2007, -9/+16***** I thought admin = "admin" and password = "pass" on my WordPress blog about Web 2.0 logos and AJAX appz was secure!
- nutcase, on 10/12/2007, -5/+12marked as retarded
these are source files for projects etc... If you make something from these source files you change the pwd. - forcedfx, on 10/12/2007, -0/+6Not Google, the people who were careless.
- imjustabill, on 10/12/2007, -0/+5If you're putting anything up on a webserver, people can access it. I don't know why people freak out when things that are freely accessable on the internet come in more convienient form (think facebook newsfeeds) and people act as somehow thier privacy is being violated. If you don't want it accessable to the world, don't put it on the internet. Or at least use the spiders.txt if you don't want search engines to index it.
- Cthalupa, on 10/12/2007, -0/+5Neocrazy, uh, no. Source code by default is UNLICENSED. You have to apply one for it to have a license. GNU/GPL is NOT the default license for source code.
- neko, on 10/12/2007, -0/+5@griz
That'd be called Google Voyeur, and would harness webcams from around the world combined with Google Video.
*checks blinds out of paranoia* - Poco, on 10/12/2007, -0/+5Idiot
- pureliquidhw, on 10/12/2007, -0/+5what's that? unencypted, hardcoded passwords are easy to find? I had no idea my code was so vulnerable.
- lqqkout4elfy, on 10/12/2007, -1/+6This is all inaccurate. Google combs through compressed files. Those files are PUBLIC anyway. So if you downloaded the compressed files, you'd be able to see the passwords as well. And people dumb enough to include passwords in a publicly available file should be warned by this.
- pred8tr, on 10/12/2007, -0/+4Geesh! What happened to strong passwords?
Anubis? yabadabadu
C'mon! - jcaino, on 10/12/2007, -0/+5seriously.
use a robots.txt file or better yet, SET YOUR PERMISSIONS PROPERLY
is that so damn hard? and if its php or cgi and it needs accessed by apache to disply on the site - use a wrapper so it runs as you....of course, you need to make sure you're using secure code....
this is the problem when things are made too easy for people to set up - noodlez, on 10/12/2007, -0/+5@freaktrap
find a piece of code on google search that doesn't have an appropriate license attached. i haven't, yet. nor can i find any windows code (windows code, not code that runs on windows) or hl2.
and no, code isn't open by default. but for google to crawl and index the code, it has to be referenced from elsewhere. someone has to be pointing to it, offering the open door. google can't find something that is 100% unreferenced, nor will it find something that is "locked" with a robots file. - senfo, on 10/12/2007, -1/+6@eurleif,
web.config isn't accessible, by default. If it is viewable to the world, we're dealing with an uneducated "webmaster" or the indexed files were found on sites providing ASP.NET demonstrations. - FreakTrap, on 10/12/2007, -3/+7@noodlez
Breaking-in and Entering are two seperate crimes. Just beaucse the door is wide open, doesn't give you the right to walk right in and treat private property like public domain.
Just so you know, code is NOT public by nature. That's like saying that the Half Life 2 source code that was leaked was public domain, or that the Windows source code that was aswell leaked was legally public. - Dotnetsky, on 10/12/2007, -0/+4None of you people are reading much. I quote:
"Google Code Search respects robots.txt, so there are a couple ways you can block us from crawling your code:
If you have access to the robots file for your web server, you can add the your code's path to the Disallow: line. Learn more.
Alternatively, you can simply put a robots file in the root directory of your code package. This will work for both archives and source control repositories like CVS and Subversion. For example, to indicate you want none of your code crawled, you could add a file called robots.txt in the root directory with the following:
User-agent: *
Disallow: / " - Seraph787, on 10/12/2007, -4/+8This is not the fault of google. This is the fault of stupid web administrators who backup their websites in public places with easy access to config files without editing the important info.
- fatdog789, on 10/12/2007, -0/+4*cough* All code IS LICENSED by default under normal copyright regulations, meaning: fair use, but otherwise you need permission if you want to use it in your own commercial/public project.
Code is licensed primarily because normal copyright conventions don't convert so well to computer code.
Once again, in the absence of any license or copyright notice, all code is protected/covered by normal/default copyright protections. - okokitsme, on 10/12/2007, -0/+4Link? Is that what that underlined blue title is supposed to be?
- vexx, on 10/12/2007, -0/+4Article? Is that what that link at the top goes to?
- griz, on 10/12/2007, -0/+4@ rabiddogma
True, but what would the fallout be if someone created an index that listed all houses who left their blinds open on a nightly basis and went so far as to list those who have the highest likelihood of nakedness walking by those blinds? - Poco, on 10/12/2007, -0/+3What most of us are saying is that this is equivalent to writing your password on your front door and then complain that anyone walking by can read it, write it down for future reference, and share it with others.
- FreakTrap, on 10/12/2007, -3/+6Yea, know. We all read the article...
- Seraph787, on 10/12/2007, -4/+7not only source files for projects. some of these idiot web admins backup their entire website into a tar.gz using some script and put it on the net for public download with config files and all so they can download it later.
- llbbl, on 10/12/2007, -0/+3Lessons learned, any of these solutions would prevent google from indexing your database passwords.
1) Backups shouldn't be stored under web root directory if possible
2) If backups will be stored temporarly somewhere than keep them somewhere with a index.php file so that spiders can index files listed in the directory
3) Turn off directory listing for the entire website - 16777216, on 10/12/2007, -0/+3semaphore169
6quasistellarmeat0442
now them is good log and pass - noodlez, on 10/12/2007, -1/+4you'd think so.
but thats the exact same problem with the ATM hacking thats all the rage nowadays. people leave passwords as defaults because most people don't know better. - etnu, on 10/12/2007, -0/+2To be fair, there ARE a lot of people who leave passwords sitting in a web-accessable directory, but their web server isn't setup to process the file so instead serves plain text. Try running apache without mod_php sometime and see what your source files look like.
Don't put ANYTHING in the web root except for the entry point, period. That root can do the necessary loading of components from outside the root (and, for the love of all things holy, don't put hard coded paths in there either!) - itanshi, on 10/12/2007, -0/+2that may be true, but it may be that those found by some percentage are demo fields
or are now - DummyO, on 10/12/2007, -0/+2searching for file:web.config impersonate="true" should get you passwords of system/domain accounts not just DB access.
- inactive, on 10/12/2007, -3/+4Wow...
searching for C# and config and password:
Config.cs
318: Username = "root";
Password = "dbox2";
Timeouts = 3;
xxxx.xxxx/.../xxxxxxxxx-src.zip - Unknown License - C# - inactive, on 10/12/2007, -0/+1yeh, but the ones that are usable definitely work, i used the hoffman one, and it definitely logs into some weird thing... I Sent himself an email to change his password...
lol he's gonna be so confused - quetivity, on 08/30/2008, -0/+1for some reason I have a hard time believing this crap
- robertDouglass, on 10/12/2007, -0/+1http://tinyurl.com/fm3sr
Lots of MySQL passwords. - donquixote235, on 10/12/2007, -0/+1The thing that I think a lot of people are unaware of is that these config files aren't sitting out in the open, generally; rather, they're being pulled out of a zip file somewhere on the domain. Some user at some point decided to backup the code, so he zipped it up and stuck "sourcefile.zip" (or whatever) onto the website. Stupid move.
Left to their own devices, php files and web-config files etc ARE secure. Unfortunately the end-user just wasn't thinking when he decided to archive the code. - hackershandbook, on 10/12/2007, -0/+1try amazon_id and other stuff where people have cut and pasted code and left in the bit that says "place your developer id here" .... "my $dev_key" and variations on those themes can be kind of interesting.....
- wulanshout, on 11/08/2008, -0/+0http://www.wulanshout.com/seo/busby-seo-test-seo-c ...
Busby SEO Test has been released! The next Busby Web Solutions Search Engine Optimisation Challenge, start on October 1st, and Finish on January 31st,2009. Get join and wind $ 5000 grand prize - mshaffer, on 10/12/2007, -1/+1Ah. I looked at the first example link... found this comment in the code:
"This code was generated by a tool."
At least the developer is aware of her security skillz. - Adrianc333, on 10/12/2007, -1/+1Lol...
Nice "trick", doubt anything will become of it though. :) - MrChuckFL, on 10/12/2007, -1/+1Is he a tool?
Is the script a tool?
or are both tools? -
Show 51 - 72 of 72 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is