Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Web Application Attack - Insecure Indexing

Posted by timothy on Monday February 28, 2005 @11:53AM from the trawling-for-patterns dept.

An anonymous reader writes "Take a look at 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' by Amit Klein. This is a new article about 'insecure indexing.' It's a good read -- shows you how to find 'invisible files' on a web server and moreover, how to see contents of files you'd usually get a 401/403 response for, using a locally installed search engine that indexes files (not URLs)."

1 of 120 comments (clear)

Min score:

Reason:

Sort:

Does he really mean this by iMaple · 2005-02-28 12:04 · Score: 0, Redundant

The article saysThe attacker first loops through all possible words in English

I mean is this not a bit too ridiculous. (Esp if the inaccessible file is someone's personal outdated webpage). If it is anything useful(to a hacker or other persons involved in illegitimate acitvity) then the technique will most probably fail.
I am not saying that there is no vulnerability (the get data from search snippets is a good idea), but the third option I just quoted above seems to be pretty lame