Google "Code Search" Web Server Security Risk!


The following is from a Joomla Newsletter alert I received via e-mail. I thought this might interest our membership as a lot of us have websites on hosts crawled by Google.

Critical Security Update!!
It has come to our attention that Google has released a new product, Google Code Search, that is capable of indexing and crawling through archive files stored in the public directories of web servers. We are reporting this as a security advisory because we have discovered that some site administrators are storing archives / backups of their website in the web root. Because of this, Google Code Search is able to crawl the archives and read unparsed PHP files as if they were plain text. This has resulted in the disclosure of some sensitive information including MySQL passwords and SMTP credentials.,com...temid,33/p,198/,101880.0.html
I wonder if the same hold true for .ASP files. If so, HS users should especially take note, as the login information is in the page EA: If password =xxxx ect.
Wow, looks like panic is about to break out over there... or already has... but this is nothing new.

The upshot of it is, if you store a file - any file - in a publicly-available directory on a web server, it can be downloaded (unless the web server specifically prevents it) if the filename can be guessed, even if a directory listing is not available. The act of storing a file that isn't linked to or publicly known, is "security by obscurity", and it doesn't work.

Anyone can get a piece of open-source code and find out how/where it stores its files. Then they can write a program to crawl websites looking for those files...

So, just make sure the directories of your web server are appropriately protected, or don't store files there even if they aren't linked into the site.

Leaving a backup of your entire site or critical files hanging around publicly available is inviting a hacker to hack your site.