February 15, 2010 at 21:32SVN: Six months later
In continuation of the work that was done half a year ago by 2Tovarishcha and Anton Isaykin , we (aldonin and dasm32) decided to scan 1,000,000 of the most popular sites on the modern Web, starting from google.com and ending with wordpress.com.
We used Perl to write a scanner. The first version did not use the rich opportunities for creating and using threads. But when in the course of 3 days only 25% of sites were crawled as a result - miserable 250,000, the question of increasing productivity was urgently raised :)
After a little but invaluable help from comrades at perlmonks.org, multithreading was fully involved, and in just a day it was checked the rest of our base.
The results, of course, surprised us.
About 4,500 (more precisely, 0.43% ) sites with the above “vulnerability” were discovered . The percentage was even slightly higher than that of 2 Comrades and Anton Isaykin . Among them were a lot of large and popular portals and services, the names and addresses of which we will not publish, following the principle of authors who have discovered this aspect of the carelessness of many webmasters and administrators. Also, during the scan, only one angry letter was sent to our server from one German site, in which, by the way, it was written that we were “loading” their web server :)). One miserable request. Anyway.
Despite the fact that in our time access to the global computer network is already present in almost every home, and the news of the IT community has long become international, our foreign colleagues do not seem to have learned about the danger that could allow even a simple user to get their hands on it holy of holies - working mechanisms of other people's web projects, large and small. We were quite surprised by such carelessness, which turned out to be inherent even to experienced and "battle-hardened" creators of web services.
It is quite clear that for most Russian IT industry employees, for example, reading information in a foreign language is not such a problem, especially when there were many computerized dictionaries, but even not all of them were ready for this kind of “check” - when scanning, approximately found80 large projects in the .ru zone with open "doors" for obtaining source codes.
Statistics
The most popular zone with SVNs open to the curious gaze, as expected, will be the .com zone, which includes a good half of vulnerable sites. The distribution of sites by geographical domain zones can be seen in this digram.
An analysis was also performed on the PR rating (PageRank - link ranking from the notorious Google).
And as it later turned out, according to McAfee SiteAdvisor, out of 4373 sites, malicious scripts were detected at approximately 43x.
A little about the most "vulnerability"
Using a specially composed request in the browser, we can get a kind of list of project files, as well as their owners and the time of the last change, as well as the source codes of the site’s pages.
Although this does not always work out :)
How an attacker can take advantage of the information received is known only to him.
Perhaps he will simply take a list of users and begin to select a password for the administrator part of your site, having logins that could be used by you more than once. Maybe he will use access to the sources to get files with configs like config.inc.php, in which many popular content management systems like to store data for connecting to the database server, or just download the whole site and calmly look for vulnerabilities in it already on your computer without disturbing your server with suspicious requests. Or maybe he will use the source, and put on the Internet an analog of your service ... But how many can still come up with ways to use this "goodies"?
How do we protect ourselves from this? We will not engage in arrogant copy-paste, but just send the concerned reader via the link to the postpioneers .
At the bottom of it are the necessary recommendations for protection.
Does this apply to you? If you do not use SVN on your website, then really yes. Otherwise, try following the link vash-site.ru/.svn/entries and check if your entries-file is "shining" around the world.
In the end, I would like to say that we did not set ourselves the goal of “downloading the source of sites,” therefore we did not receive a single source, nor did we save entries. Now we are gradually turning the attention of the owners of scanned sites to their oversight. For the reason that information has just begun, we, alas, will not show you examples of vulnerable sites. But if the owners agree with us - at your request, links will be provided.
Regards, aldonin and dasm32.
We used Perl to write a scanner. The first version did not use the rich opportunities for creating and using threads. But when in the course of 3 days only 25% of sites were crawled as a result - miserable 250,000, the question of increasing productivity was urgently raised :)
After a little but invaluable help from comrades at perlmonks.org, multithreading was fully involved, and in just a day it was checked the rest of our base.
The results, of course, surprised us.
About 4,500 (more precisely, 0.43% ) sites with the above “vulnerability” were discovered . The percentage was even slightly higher than that of 2 Comrades and Anton Isaykin . Among them were a lot of large and popular portals and services, the names and addresses of which we will not publish, following the principle of authors who have discovered this aspect of the carelessness of many webmasters and administrators. Also, during the scan, only one angry letter was sent to our server from one German site, in which, by the way, it was written that we were “loading” their web server :)). One miserable request. Anyway.
Despite the fact that in our time access to the global computer network is already present in almost every home, and the news of the IT community has long become international, our foreign colleagues do not seem to have learned about the danger that could allow even a simple user to get their hands on it holy of holies - working mechanisms of other people's web projects, large and small. We were quite surprised by such carelessness, which turned out to be inherent even to experienced and "battle-hardened" creators of web services.
It is quite clear that for most Russian IT industry employees, for example, reading information in a foreign language is not such a problem, especially when there were many computerized dictionaries, but even not all of them were ready for this kind of “check” - when scanning, approximately found80 large projects in the .ru zone with open "doors" for obtaining source codes.
Statistics
The most popular zone with SVNs open to the curious gaze, as expected, will be the .com zone, which includes a good half of vulnerable sites. The distribution of sites by geographical domain zones can be seen in this digram.
An analysis was also performed on the PR rating (PageRank - link ranking from the notorious Google).
And as it later turned out, according to McAfee SiteAdvisor, out of 4373 sites, malicious scripts were detected at approximately 43x.
A little about the most "vulnerability"
Using a specially composed request in the browser, we can get a kind of list of project files, as well as their owners and the time of the last change, as well as the source codes of the site’s pages.
Although this does not always work out :)
How an attacker can take advantage of the information received is known only to him.
Perhaps he will simply take a list of users and begin to select a password for the administrator part of your site, having logins that could be used by you more than once. Maybe he will use access to the sources to get files with configs like config.inc.php, in which many popular content management systems like to store data for connecting to the database server, or just download the whole site and calmly look for vulnerabilities in it already on your computer without disturbing your server with suspicious requests. Or maybe he will use the source, and put on the Internet an analog of your service ... But how many can still come up with ways to use this "goodies"?
How do we protect ourselves from this? We will not engage in arrogant copy-paste, but just send the concerned reader via the link to the postpioneers .
At the bottom of it are the necessary recommendations for protection.
Does this apply to you? If you do not use SVN on your website, then really yes. Otherwise, try following the link vash-site.ru/.svn/entries and check if your entries-file is "shining" around the world.
In the end, I would like to say that we did not set ourselves the goal of “downloading the source of sites,” therefore we did not receive a single source, nor did we save entries. Now we are gradually turning the attention of the owners of scanned sites to their oversight. For the reason that information has just begun, we, alas, will not show you examples of vulnerable sites. But if the owners agree with us - at your request, links will be provided.
Regards, aldonin and dasm32.