[Full-Disclosure] Google as Application FireWall

From: Andrey Bayora (andrey_at_hiddenbit.org)
Date: 02/24/05

  • Next message: Ron: "Re: [Full-Disclosure] Exploiting apache" 
    Date: Thu, 24 Feb 2005 09:12:21 -0600
To: full-disclosure@lists.netsys.com

    Hi list,
    As you know, Google blocks some keywords in the search query like
    "viewtopic.php" to stop worms attacking vulnerable sites.
    Debasis Mohanty in his post
    (http://seclists.org/lists/fulldisclosure/2005/Feb/0534.html) explained
    how this block could be bypassed, by searching for:
    "view" + "topic" + ".php"
    Or
    Viewtopic.php

    Now these "tweaks" doesn't work any more, they are also blocked by
    Google.
    The world is saved from the Sanity Worm!!!........?

    First, the results from the competitors:

    search.msn.com
    1-10 of 709,394 containing "viewtopic.php"
    1-10 of 39,532 containing "phpBB/viewtopic.php"

    A9.com
    Search for "viewtopic.php" - Web Service temporarily unavailable.
    Search for ""phpBB/viewtopic" - Showing 1 - 10 of about 261,000

    search.yahoo.com
    Results 1 - 100 of about 14,400,000 for inurl viewtopic php

    And now the GOOGLE results:
    Results 1 - 100 of about 5,890,000 for allinurl:view topic php
    Results 1 - 100 of about 228,000 for inurl:view+phpBB+topic + php
    Results 1 - 100 of about 1,550,000 for inurl:topic+view+php
    Search for inurl:".php" – BLOCKED.

    Conclusion:
    1. If google blocks (sanitize) search results – the google users must
    know the rules (what blocked, when and why).
    The rules now (at least):
    - inurl:".php" – BLOCKED
    - inurl:viewtopic – BLOCKED

    2. Why inurl:".php" query is blocked?
    - if this is a "bug", it need to be fixed
    - if not a "bug", please BLOCK .asp .asa .vbs …get the list from
    antivirus vendors :)

    3. OK, it's a good intention to help to reduce the impact of worm's
    attacks, BUT…
    think about the next move of virus writers…as you see from above search
    results, you can't effectively block the "bad" results, so the LONG
    TERM impact can be that virus writers will develop some fuzzy engine
    and will still get the desired results.
    For example: query for -- allinurl:view topic php -- and then passing
    over ALL search results (5,890,000) and filtering for "viewtopic.php"
    string in URL. The service will be overloaded much more.
    This is worse problem, then the initial one!!!

    Regards,
    Andrey Bayora
    CISSP, GCIH

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Ron: "Re: [Full-Disclosure] Exploiting apache"