因为Google code search,Web从来没有这么不安全过!!!
来源:互联网 发布:linux bg fg 编辑:程序博客网 时间:2024/05/21 06:38
译文:
被Google Labs称呼为"Google code search(http://www.google.com/codesearch)"的服务已经悄悄的进入了开放源代码的Web,这意味着开发文档和漏洞跟踪(原文:bug track)数据库几乎失去了作用.
事实上在大多时候,开发人员对开放源代码库进行维护都尽量避免重新造轮子的工作.像phpBB这类的程序几乎50%的代码都是开发人员直接编写的.由于这些代码是免费发布的,这导致开发人员/维护人员没有义务让这些代码变的更安全或者做到功能完善.这意味着这类的Web会是脆弱和没有补丁更新.
试想一下搜索"include($_GET"后会得到一大把关于开放源代码项目里的一些信息,当然也有很多是关于远程文件里包涵的弱点( vulnerability).搜索"mysql_query" " select * from" "$passwd"也可以得到一大堆关于开源项目里的sql注入模块,而且这些资源质量还不错.
据个例子,当你搜索"include($_GET"的时候,OpenEngine's CMS里的一个程序可以用于测试这些安全漏洞,Google会把这些漏洞的信息反馈给你:
openengine18/cms/system/03_admin/start.php - 1 identical
19: {
include($_GET["admin"]."/index.php");
}
www.openengine.de/html/downloads/openengine18.zip - GPL - PHP
**************************************************
可能你会找到更多关于类似攻击漏洞的信息供你挑选你所想要的.
关键字"todo"和"security"的所搜里表可以找到很多程序为部署的安全特性.你也可以通过所搜文件系统上的目录结构和文档/包(原文:archives/packages),这意味着可以让关键字为"confidential"和"proprietary"的文件很不"合适"的发布.搜索函数"gets"可以得到一些关于缓冲区溢出方面的漏洞资料.虽然google代码搜索只是隐秘的工作,但你也可以找到很详细的各种类型的漏洞攻击.
到目前为止,大多数安全漏洞都不是引人注目的.但Google的代码搜索已经让这些漏洞资料完全的公开在互联网上.
原文:
There’s new service by Google Labs called "Google code search (http://www.google.com/codesearch)" that sneaks into all open source code on the web; making exploit archives and bug track databases nearly obsolete.
Most of the times, in fact every time developers prefer use maintained open source libraries instead of re-inventing the wheel but seldom audit the code that they actually use. From full-fledged applications like phpBB to a tiny utility library like number2words, nearly 50% of the code isn’t actually written by the developer. Since such code is distributed for free, there is no obligation on the developer/maintainer of that code to make it secure or even fully functional. Meaning that most of the web is weak and patchy.
Imagine a search for "include($_GET" that would reveal dozens of widely used open source projects with such an obvious remote file inclusion vulnerability. Search for "mysql_query" "SELECT * FROM" "$passwd" and you could find dozens of sql injection vulnerabilities in authentication modules of many well known open source projects.
For example, when you search for "include($_GET", OpenEngine's CMS is one of the applications that would test positive for this vulnerability. Google will spot the bug and return:
**************************************************
openengine18/cms/system/03_admin/start.php - 1 identical
19: {
include($_GET["admin"]."/index.php");
}
www.openengine.de/html/downloads/openengine18.zip - GPL - PHP
**************************************************
There would be many more results with similar vulnerabilities up in a menu for you to choose the sweetest target.
Keywords "todo" and "security" would list many programs that have unimplemented security features. You can also search through the directory structure and archives/packages on the file system which means you can find files with keywords "confidential" and "proprietary" that will pinpoint code that has been improperly released. And, searching for the function "gets" can reveal programs with buffer-overflow vulnerabilities. Although google code search will only sneak into published code, the magnitude of the situation is way beyond calculations because you don’t see what vulnerabilities a particular application has, instead you see all the applications that have a particular kind of vulnerability.
Until now majority of the security flaws used to go unnoticed and only a few would really stand out. But now, Google code search exposes the weak strings of the World Wide Web in its entirety.
译者:Shawn C
- 因为Google code search,Web从来没有这么不安全过!!!
- 有这么一个好地方,从来没有利用过
- Google Code Search代码搜索
- 代码搜索: google Code Search
- Google Web Search
- Google Web Search
- 从来没有写过blog.
- 从来没有放弃过的初衷
- Google Web Search API 实现
- Google Web Search API (Deprecated)
- 真正的代码宝库:Google Code Search
- 真正的代码宝库:Google Code Search
- 从来没有真正的写过blog
- 压力很大. 以前从来没有这样过.
- 从来没有如此失落过……
- 很多friend,j2ee的web项目搞了这么多年,为什么从来没用到过多线程?自己从来没有动手自己写过多线程?
- “Google Code Search代码搜索”-程序员的搜索软件
- Zymose发布Google Code Search增强工具gcs plus
- CodeSmith,SqlServer,C#中的类型对照
- LINUX常用网络配置文件的介绍
- Core Java2(7Th) study(2)The situations that when to throw exception!
- .net学习地址
- 什么是Mobile 2.0?
- 因为Google code search,Web从来没有这么不安全过!!!
- Asp.Net22.0中ObjectDataSource+Formview实现添加,修改
- 画脑图方法!
- BeanFactory与ApplicationContext学习
- 去掉程序文件里多余空行
- Solaris上数据保护的一些考虑
- Eclipse+Tomcat+Lomboz的安装配置说明
- Linux 守护进程的编程方法
- strdup