Tuesday, April 23, 2013

Being a good internet citizen

A large percentage of breaches are discovered by having a third party mention to you that you're insecure. I would estimate it to be well over 50%.
Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see this post on google hacking).

I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.


Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:



Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!


Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting 576 domains!


So I sent them a simple email:

Attention Information Security,
I saw this site on google, and happened to notice that you appear to have a sym link in your document root that points back to / allowing access to your entire system through the webserver.
For example, your passwd file SHOULD NOT be publicly viewable.
http://XXXXXXXXX.com/x.txt/etc/passwd

Please let me know if you have any questions.
Thank you,

I received a response from them, which included this:
It's worth noting that /etc/passwd does not contain any sensitive information, and that although we do not widely publish our configuration, we do not generally consider it to be sensitive as it is relatively trivial to reverse-engineer by experimentation and observation. We conduct regular reviews of our platform's security and take extensive measures to ensure that our servers stay secure.

Huh. Okay.


Note: Names have been redacted to protect the ignorant.

8 comments:

  1. pretty disappointing, in fact when I informed some administrators about public axfr in their dns zones, I got reply like this:
    "The vast majority of information in the DNS can be obtained by enumerating the reverse zones or using Google. Services named in the DNS are intended to be publicly accessible or are protected in various ways".
    different situation, but same question - WTF? :)

    ReplyDelete
  2. Found that site you found a symlink on... After doing some further research, it seems that this site simply copied\stole everything from a different site: Sha*************** @ ap********* (Not sure if I should post this information...) and they've actually done a pretty bad job replacing that logo (by simply covering it with their own).
    Anyways, I'm assuming that's why they don't care for that information being public... It actually doesn't even belong to them in the first place.
    Also, tried the same simple symlink backdoor with the original site and I didn't manage to gain access (I haven't actually pentested the site, simply tried the exact same application that was used previously).

    ReplyDelete
  3. Using a simple Goole dork (inurl) can tell us which sites have this issue: https://www.google.com/search?q=inurl%3A%2Fproducts%2Fmanual%2Fdb

    ReplyDelete
  4. This is totally new.hacking I am definitely enjoying your website. You definitely have some great insight. I am impressed by the quality of information on this website. There are a lot of good resources here. I am sure I will visit this site soon.
    Thanks
    Susanne Green
    medical assistant

    ReplyDelete
  5. Collections from the design labels such as pas cher trx and other beauty are released after every six months.
    With every new launch, a new penny skateboards cheap online technology is developed.
    This had led to making TRX For Sale remain competitive in the International market.
    The entire pas cher trx packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer trx france.
    TRX Suspension Training Sale being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on Discount TRX Sale, needs to provide the best packaging services that the modern world has ever seen.
    TRX Suspension Training On Sale plays a major role in creating a brand name that fashion lovers want to identify with.

    ReplyDelete
  6. Thank you for sharing such a nice and detail article.I am waiting for another wonderful articles.

    regards,

    Melbourne web developer

    ReplyDelete
  7. DreamHost is ultimately one of the best website hosting provider with plans for all of your hosting needs.

    ReplyDelete