Finding Sites Vulnerable to the Stock Weakness

Now let's try to find some examples of this weakness online. In general, you want to find something about the module that is unique. Often you can use URLs provided by the module and search for them with the Google "inurl:" modifier. In the case of CCLite, that is not as useful because the only path is the admin page, which would not generally be linked from any navigation. Normally, this is a very tough task—the module uses fairly common phrases about the licenses—however, the module uses the less-common British English spelling ''licence'' so a search for "This work is licenced under a" and the modifier "inurl:node" returns hundreds of sites to investigate. You can see the search phrase and Google's approximation of the number of potentially vulnerable sites in Figure 9-2.

^^^ This work Is licenced under' ¡nuri:node ( Search

Web Results 1 -10 of about 589 for'This work is licenced under a" lnurl:node. (0.18 seconds)

Did you mean: "This work is licensed under a" inurknode

Figure 9-2 The Google search returned 589 potentially weak sites.

Notice in Figure 9-2 how Google very helpfully informs you that this string isn't the most common way to spell it—which tips you off to the fact that this search string might work to identify vulnerable sites. Adding the "inurl:node" modifier—because the string is shown only in a block on node view—eliminates many potentially vulnerable sites that use path aliases to hide their node/NID-style URLs.

A quick review of the 10 sites on the first page of the results reveals one example where the settings are wide open and you can change them without logging in to the site. Figure 9-3 shows this admin screen for a site where I was not logged in.

Figure 9-3 A site vulnerable to the Creative Commons weakness

With over 500 sites, manual review isn't a reasonable method to find sites. Instead it would be more efficient to write a script that uses the Google search API to find sites and then runs a test on the site, such as visiting the vulnerable URL and comparing the return data to a known good case— the HTTP Access Denied header—and a known bad case—the Creative Commons Lite title on the page—or a form element's description text.

Was this article helpful?

0 0

Post a comment