Friday 12 June 2009

Security mistakes #10 Admin info

I will be doing a single post on each point to allow people to understand what I was talking about at the NNUG Stavanger meeting.

So lets start with issue #10 which was leaving admin info on the server.

This is not just about leaving passwords in plain text but leaving valuable clues to allow a person to penetrate your security and your web application. Examples of such information include Trace info, debug info, descriptive error messages, unsecured admin tools and test pages which output sensitive information.

It is possible to use Google to find vulnerable web sites and also such information on web servers. Because Google allows you to use certain search operators to refine your search you can search for particular files for example on a site.

Take for example you create a backup file with the site contents and create a folder that is called backup but is browsable. A quick search of the site with Google could allow someone to find this information and gain access to your source code, which would allow them a lot of time to study it for security vulnerabilities.

intitle:index.of "parent directory" site:your site

Leaving the trace file will also give away a lot of information.

So set the trace to off or least set the localOnly value to true.

No comments: