The web has never been more insecure: Google code search


Great news for the uber h4x0r / r00t3r / d3f4c3r and for those who hack when they feel low, depressed or have nothing else to do. There’s new service by Google Labs called "Google code search (http://www.google.com/codesearch)" that sneaks into all open source code on the web; making exploit archives and bug track databases nearly obsolete.


Most of the times, in fact every time developers prefer use maintained open source libraries instead of re-inventing the wheel but seldom audit the code that they actually use. From full-fledged applications like phpBB to a tiny utility library like number2words, nearly 50% of the code isn’t actually written by the developer. Since such code is distributed for free, there is no obligation on the developer/maintainer of that code to make it secure or even fully functional. Meaning that most of the web is weak and patchy.


Imagine a search for "include($_GET" that would reveal dozens of widely used open source projects with such an obvious remote file inclusion vulnerability. Search for "mysql_query" "SELECT * FROM" "$passwd" and you could find dozens of sql injection vulnerabilities in authentication modules of many well known open source projects.


For example, when you search for "include($_GET", OpenEngine's CMS is one of the applications that would test positive for this vulnerability. Google will spot the bug and return:

 

openengine18/cms/system/03_admin/start.php - 1 identical


    19
:   {
              include(
$_GET["admin"]."/index.php");
              }

www.openengine.de/html/downloads/openengine18.zip - GPL - PHP

 

 

There would be many more results with similar vulnerabilities up in a menu for you to choose the sweetest target.


Keywords "todo" and "security" would list many programs that have unimplemented security features. You can also search through the directory structure and archives/packages on the file system which means you can find files with keywords "confidential" and "proprietary" that will pinpoint code that has been improperly released. And, searching for the function "gets" can reveal programs with buffer-overflow vulnerabilities. Although google code search will only sneak into published code, the magnitude of the situation is way beyond calculations because you don’t see what vulnerabilities a particular application has, instead you see all the applications that have a particular kind of vulnerability.

Until now majority of the security flaws used to go unnoticed and only a few would really stand out. But now, Google code search exposes the weak strings of the World Wide Web in its entirety.

 

 

 


Make a Free Website with Yola.