If you use WordPress be careful. An example Google Code Search search going around is “username file:wp-config.php” which happily displays username and passwords in WordPress config files… if they’re in compressed archives or a publicly accessible directory.

Same goes for other configuration or settings files. For instance, connection strings in web.config files (connection string file:web.config), Movable Type passwords (file:mt-db-pass.cgi), keygen name serial, backdoor passwords (backdoor.*password), MySQL root passwords (file:config.inc.php “MySQL password” root, etc.

Of course, one could search for code vulerable to cross-site scripting, SQL Injection (lang:php mysql_query\(.*\$_(GET|POST|COOKIE|REQUEST).*\)), remote code execution (lang:php (include|require)\s*(\(|\s).*\$_(GET|POST)), header injection, and on and on.

Spammers can cull email addresses from code with a simple code search as well ([a-z]*@[a-z]*.com)

So what have we learned?

• Do not put passwords in public code, including zipped code archives.
• Be more diligent to protect against SQL Injection and similar exploits. I.e. do not trust user input of any sort.
• Do not put email addresses in public code.
• In general, keep your eyes and ears open for security exploits and protect against them.

We can’t be perfect, but we ought to try.

Seen here, here, and here.