Monday, March 07, 2005

Open directory vulnerability

"Having an open directory on your system, is infact an open invitation to hack".

Let me explain. Last week, I was working on some UML stuff and wanted to try out an evaluation version of a top rated UML drawing software (I am not naming names, to protect the guilty). While waiting for the huge download to complete, I poked around their site to see what was going on behind the scenes. Once in a while, I'll do a view->source on a site to see whats going on behind the scenes. Sometimes, I'll add or remove parts of a URL just to see how well does a site handle broken URLs.

Anyways, on this site I discovered that they had not turned off directory listing and infact everything in that particular directory was directly visible to me. Next, I did a view source and tried to find out the directory structure of their site (things like images directory etc). The /images/ directory was open and so was the /php/ directory. Upon going to the /php/ directory, I saw that there were certain /php/blah-blah.php.bak files. Now the million dollar thing to notice here, is that the .php files are executed and only the content is served. But, if a file has a different extension, the source code is sent out by the webserver. The file is not executed. I downloaded the php (backedup version) files and saw that it contained a lot of sensitive data (like SQL queries which reveal the database structure, database username, password etc).

Do you realize, how having an open directory on a site could lead to one knowing about the database information? Thats why it is important to get your act together and disable directory listing for websites.

(For those of you who are curious, I am currently working with the management of that company to close the security holes on their site. Also, as a reward for my efforts, they gave me a free copy of the enterprise edition (worth $1600) of their software for my personal use. Woohoo!)

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.