Tuesday, April 23, 2013

Being a good internet citizen

A large percentage of breaches are discovered by having a third party mention to you that you're insecure. I would estimate it to be well over 50%.
Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see this post on google hacking).

I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.

Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:

Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!

Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting 576 domains!

So I sent them a simple email:

Attention Information Security,
I saw this site on google, and happened to notice that you appear to have a sym link in your document root that points back to / allowing access to your entire system through the webserver.
For example, your passwd file SHOULD NOT be publicly viewable.

Please let me know if you have any questions.
Thank you,

I received a response from them, which included this:
It's worth noting that /etc/passwd does not contain any sensitive information, and that although we do not widely publish our configuration, we do not generally consider it to be sensitive as it is relatively trivial to reverse-engineer by experimentation and observation. We conduct regular reviews of our platform's security and take extensive measures to ensure that our servers stay secure.

Huh. Okay.

Note: Names have been redacted to protect the ignorant.


  1. pretty disappointing, in fact when I informed some administrators about public axfr in their dns zones, I got reply like this:
    "The vast majority of information in the DNS can be obtained by enumerating the reverse zones or using Google. Services named in the DNS are intended to be publicly accessible or are protected in various ways".
    different situation, but same question - WTF? :)

  2. Found that site you found a symlink on... After doing some further research, it seems that this site simply copied\stole everything from a different site: Sha*************** @ ap********* (Not sure if I should post this information...) and they've actually done a pretty bad job replacing that logo (by simply covering it with their own).
    Anyways, I'm assuming that's why they don't care for that information being public... It actually doesn't even belong to them in the first place.
    Also, tried the same simple symlink backdoor with the original site and I didn't manage to gain access (I haven't actually pentested the site, simply tried the exact same application that was used previously).

  3. Using a simple Goole dork (inurl) can tell us which sites have this issue: https://www.google.com/search?q=inurl%3A%2Fproducts%2Fmanual%2Fdb

  4. This is totally new.hacking I am definitely enjoying your website. You definitely have some great insight. I am impressed by the quality of information on this website. There are a lot of good resources here. I am sure I will visit this site soon.
    Susanne Green
    medical assistant

  5. Collections from the design labels such as pas cher trx and other beauty are released after every six months.
    With every new launch, a new penny skateboards cheap online technology is developed.
    This had led to making TRX For Sale remain competitive in the International market.
    The entire pas cher trx packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer trx france.
    TRX Suspension Training Sale being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on Discount TRX Sale, needs to provide the best packaging services that the modern world has ever seen.
    TRX Suspension Training On Sale plays a major role in creating a brand name that fashion lovers want to identify with.

  6. Thank you for sharing such a nice and detail article.I am waiting for another wonderful articles.


    Melbourne web developer

  7. DreamHost is ultimately one of the best website hosting provider with plans for all of your hosting needs.

  8. This comment has been removed by the author.

  9. Nice post i really like it.Call us at 0800-090-3240 Adobe Support Number UK and Adobe Helpline Number UK to get quick and satisfied solution.

  10. That was an educative article on being a good internet citizen and I have learned a few techniques that will help be a better internet users. I hope that this article will reach out to all online users so that they can learn how to utilize the internet effectively. Kindly find time and read my article by clicking on Online Professional Essay Writing Providers.

  11. Nice Blog! Thanks for sharing nice information with us. This Blog is very helpful for Software customer. If you are getting any technical issues…Read More

  12. Adobe is a famous operating system across the population of UK. It is an advanced platform to suit your projects to build with. For any technical related errors, you an call our skilled technicians at Adobe Help Number UK & Adobe Helpline Number UK

  13. getting printer connectivity issue, please follow here Xerox Printer Support

  14. I read this article. I think You put a lot of effort to create this article. I appreciate your work.
    thesis Writing Service

  15. Since Hotmail has lost its identity and merged into Outlook, many users are having issue in signing in their account. They are even facing issues in exporting their emails, contacts and calendar to another account. This is when you can call at Hotmail Contact Number UK and ask our professionals to guide you.