Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Web Application Attack - Insecure Indexing

Posted by timothy on from the trawling-for-patterns dept.

An anonymous reader writes "Take a look at 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' by Amit Klein. This is a new article about 'insecure indexing.' It's a good read -- shows you how to find 'invisible files' on a web server and moreover, how to see contents of files you'd usually get a 401/403 response for, using a locally installed search engine that indexes files (not URLs)."

3 of 120 comments (clear)

  1. Re:Interesting. Brief summary. by tetromino · · Score: 4, Informative

    Does anyone know if the Google search applicance is affected by this?

    No. First of all, the Google Search Appliance crawls over http, and therefore obeys any .htaccess rules your server uses. Second, you can set it up so that users need to authenticate themselves. Third, there are many filters you can set up to prevent it from indexing sensitive content in the first place (except that since any sensitive content the google appliance indexes must already be accessible via an external http connection, one hopes it's not too sensitive).

  2. RTFM by Tuross · · Score: 5, Informative

    My company specialises in search engine technology (for almost a decade now). I've worked quite in-depth with all the big boys (Verity, Autonomy, FAST, ...) and many of the smaller players too (Ultraseek, ISYS, Blue Angel, ...)

    I can't recall the last time this kind of attack wasn't mentioned in the documentation for the product, along with instructions on how to disable it. If you choose to ignore the product documentation, you get what you deserve.

    It's quite simple folks. Don't open the search engine. ACL query connections. Sanitize queries like you (should?) do other CGI applications. Authenticate queries and results. If you can't be bothered, hire someone who can.

    --
    Matt
    1. Read Slashdot
    2. ???
    3. Profit
  3. Google Hacks Database by giant_toaster · · Score: 5, Informative

    I guess a lot of people have seen this site before, but http://johnny.ihackstuff.com/index.php?module=prod reviews has a lot of these google exploits etc, he is posting them up so people can check if their sites are secure. There are some interesting presentations by him on the main site about how search engines can be exploited.