Blog Post RSS ?

Blogs » PHP » Oh dear
« JSON-P output with Rails
September Links from DotNetLand »
 

Oh dear

by Harry Fuecks

Google Code Search for Security Vulnerabilities

Here’s my attempt – hunting for $_GET / $_POST / $_COOKIE placed at the start of on and include / require / include_once / require_once – potentially a path to include remote files. (Un)?fortunately seems to break the search interface right now – although more results are reported, you can’t seem to get beyond page 2 right now.

lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)

So what’s the opposite of “security by obscurity” – because this seems to be it – Koders at least kept their search syntax weak.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Ping.fm
  • Twitthis

Related posts:

  1. PHP Virus Attacking Web Hosts
  2. 3 Things About Cookies You May Not Know
  3. Generating PHP with Ruby
  4. Google’s tracking links – grrrrrrrrr!
  5. Conditional Class Declaration – bad practice?

This entry was posted on Friday, October 6th, 2006 at 9:08 am, contains 113 words, 6 images, and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. The views and opinions in this blog post are those of its author.

This post has 4 responses so far

  1. Seems something is broken in their code search right now, your example doesn’t return any results. Another test: lang:php include is OK. But trying lang:php include\s* again no results..

    CAGRETNo Avatar
    October 6th, 2006 at 11:53 pm

  2. VBulletin Licence Number lang:php

    Plug that into google code search, you can actually search for VB licence numbers, google better fix this quick.

    Lionheart008No Avatar
    October 7th, 2006 at 11:40 pm

  3. “Fix”? Why? Because stupid people expose code on the Internet?

    Google is doing software engineering a great service, not just through search, but by exposing these glaring security holes. If google’s spider can find it, SO CAN SOMEBODY TRYING TO DO SOMETHING MALICIOUS!

    Here are some tips:

    1. Don’t leave sensitive information in publicly accessible directories. If you don’t understand why this is important, you deserve to get hacked.

    2. Spend a few hours actually learning about security best-practices.

    3. Quit relying on security by obscurity. It’s worthless. Use real security measures and you won’t have these kinds of problems.

    People need to stop writing horrible code. If it takes google making it easy to expose these flaws, then, well, so be it. More work for developers who actually know what they’re doing.

    EtnuNo Avatar
    October 8th, 2006 at 1:28 pm

  4. I don’t think that this code search is very usefull, not for the user and not for the owner. I don’t wanna think about how many people will hijack this data and place the code as without permissions in some kind of code directory.

    I’m wondering why I someone should use this search…

    At last google is indexing the files inside zip files, read some days ago about searches for WP config files ripped from .zip backup archives…

    olaf2Avatar
    October 12th, 2006 at 9:56 pm

Sponsored Links

Your Blogmaster is...

Harry Fuecks

Harry Fuecks

Harry has been working in corporate IT since 1994, with everything from start-ups to Fortune 100 companies. Outside of office hours he runs phpPatterns: a site dedicated to software design with PHP that aims to raise standards of PHP development. He also maintains Dynamically Typed: SitePoint's PHP blog.

Subscribe

SitePoint Newsletters

Get all the latest tips by signing up to all of SitePoint’s informative newsletters.

HTML   Plain

SitePoint Blogs