New Web Application Attack - Insecure Indexing 120
An anonymous reader writes "Take a look at 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines'
by Amit Klein. This is a new article about 'insecure indexing.' It's a good read -- shows you how to find 'invisible files' on a web server and moreover, how to see contents of files you'd usually get a 401/403 response for, using a locally installed search engine that indexes files (not URLs)."
permissions permissions permissions (Score:5, Insightful)
Interesting. Brief summary. (Score:5, Insightful)
Does anyone know if the Google search applicance is affected by this?
- Cary
--Fairfax Underground [fairfaxunderground.com]: Where Fairax County comes out to play
News at 11! (Score:3, Insightful)
Re:but its fixed in firefox now (Score:3, Insightful)
that's all nice and good, personally I think files that were never meant to be indexed make for the best reading by far !
Vs. Database-Driven Sites? (Score:3, Insightful)
Then again, it's about being organized, isn't it? A check of what should and shouldn't be allowed to go public, some sort of flag where even if it shows up in the result, it better not make its way onto the HTML being sent back. (I figure that's more DB-centric though)
Last madman rant -- Don't put anything up there that shouldn't be for public consumption to begin with!!! If you're the kind to leave private XLS, DOC, MDB, and other sensitive data on a PUBLIC server thinking it's safe just because nobody can "see" it, to put it delicately, you're an idiot.
Re:Interesting. Brief summary. (Score:5, Insightful)
Re:permissions permissions permissions (Score:4, Insightful)
Re:News at 11! (Score:1, Insightful)
obvious? (Score:5, Insightful)
I mean, I understand its a little more complex as described in the article- but i would hardly call this a 'new web application attack', at best perhaps one of those humorous advisories where the author overstates things and creates much ado about nothing- or at least thats my take;
-1 not profound
Re:Mozilla Firefox fucking sucks (Score:2, Insightful)
Don't worry, we will give you a full refund.
Re:Vs. Database-Driven Sites? (Score:2, Insightful)
Re:Interesting. Brief summary. (Score:4, Insightful)
That way an anonymous user would see only results for documents that have read permissions for anonymous while a logged-in user would see results for anything they had permissions to.
Of course this idea works fine for a special purpose database-backed web site but takes a bit more work on just your average web site.
Crawling the site via localhost:80 is the most secure method for a normal site. This would index only documents available to the anonymous user already and would ignore any unlinked documents as well.
This is old. (Score:4, Insightful)
Whoever posted this as a "new" item, is behind the times.
OWASP covers it! [owasp.org]
Lets not rehash old things!
Re:permissions permissions permissions (Score:1, Insightful)
Amit Klein at least used to work for Watchfire formerly known as Scrotum (Sanctum), and the same company who tried to patent the application security assessment process. I guess it's been a really slow year for vulnerability research. They need a new terminology to scare the executives at fortune 500 corporations, and sell their useless products.
People tend to forget that to compromise data, it's easier to steal the tape from the back of a plane than it is to hack up some stupid search engine.
solution (Score:3, Insightful)
There are variations and contingencies, but the bottom line is, even if someone cracked into the location for an xml metadata file, its not the data itself and while it may reveal a few things about the page or file it relates to, certainly is bottom line much less of a risk than full access to other file types on the server.
heres another tip for free. because you now have metadata in RDF, with a few more lines of code you can output it as RSS.
Re:should have been from.... (Score:2, Insightful)
Of course in those days people actually built their sites using static HTML...
Why worry about this? (Score:1, Insightful)
Anything else goes on a pocket network or not at all.
The only exception would be an order form, and that will be very narrowly designed to do exactly one thing securely.
Re:and don't forget... (Score:3, Insightful)
if they break, how can they be properly designed ?