[Full-disclosure] Google and Yahoo search engine zero-day code
Denis Jedig
seclists at syneticon.de
Wed Jul 5 10:04:25 BST 2006
n3td3v wrote:
> Today's disclosure involves Google and Yahoo search engines:
>
> All you need to do is put in the code to a web page, when Google and
> Yahoo visit it, then the code exploits the software they use and makes
> them start caching 'other' pages. Including 'no index' pages, where
> sites have setup a robot text file on their server to protect
> corporate and consumer interests.
I think you missed the concept here. Whatever is on the webservers and
is available to the public is... well... available to the public.
It does not help security matters to introduce a robots.txt - the
purpose of this directives file is not to secure something but to reduce
traffic and keep irrelevant content out of search engines.
If you need security, you introduce some kind of authentication *before*
access is allowed to sensitive data. You will find that a sign reading
"Do not enter and do not steal any gold" will not help much at the Fort
Knox entrance if it is the only security measure.
Denis
Full-Disclosure is hosted and sponsored by Secunia.