techrageo.us » Searching

Security and Google Code Search

bill — Mon, 09 Oct 2006 09:05:50 +0000

If you use WordPress be careful. An example Google Code Search search going around is “username file:wp-config.php” which happily displays username and passwords in WordPress config files… if they’re in compressed archives or a publicly accessible directory.

Same goes for other configuration or settings files. For instance, connection strings in web.config files (connection string file:web.config), Movable Type passwords (file:mt-db-pass.cgi), keygen name serial, backdoor passwords (backdoor.*password), MySQL root passwords (file:config.inc.php “MySQL password” root, etc.

Spammers can cull email addresses from code with a simple code search as well ([a-z]*@[a-z]*.com)

So what have we learned?

Do not put passwords in public code, including zipped code archives.
Be more diligent to protect against SQL Injection and similar exploits. I.e. do not trust user input of any sort.
Do not put email addresses in public code.
In general, keep your eyes and ears open for security exploits and protect against them.

We can’t be perfect, but we ought to try.

Seen here, here, and here.

Google Code Search

bill — Mon, 09 Oct 2006 02:53:16 +0000

Google Labs has released a Code Search tool (google.com/codesearch).

You can limit the results to languages (lang:), particular licenses (license:), files (file:), and packages (package:). Regular expressions are supported as well.

Language support appears to be limited to the following: Ada, ASP, Assembly, Basic, C, C++, C#, Eiffel, Erlang, Fortran, Java, JavaScript, JSP, Lex, Limbo, Lisp, Lua, Makefile, Mathematica, Matlab, Objective C, Perl, PHP, PostScript, Python, Ruby, Scheme, Shell, Smalltalk, SQL, Tcl, Troff, and Yacc. Wonder why no COBOL, SNOBOL, PL1, Pascal, JCL, etc.? Besides “they’re old languages.” Unfortunately, not everyone is hip and happening, and programmers struggling to support old systems are likely to need a good resource like this. Google, can you add some languages?

Anyhow, support for regular expressions is welcome. The licenses you can use in the searches include: Aladdin Public License, Artistic License, Apache License, Apple Public Source License, BSD License, Common Public License, GNU General Public License, GNU Lesser General Public License, Historical Permission Notice and Disclaimer, IBM Public License, Lucent Public License, MIT License, Mozilla Public License, NASA Open Source Agreement, Python Software Foundation License, Q Public License, Sleepycat License, and the Zope Public License.

Some example searches:

Seen here.

Google Notebook Ho Hum?

bill — Tue, 16 May 2006 12:52:41 +0000

Google Notebook launches and TechCrunch says ho hum, complaining about the lack of tagging and the Google-like interface. They like the drag-drop organization and ability to quickly search across public notebooks.

Yahoo Offers Easier E-Mail Search

grant — Tue, 30 Aug 2005 19:11:15 +0000

Yahoo isn’t going down without a fight. They are now offering an improved search technology which allows you to not only search messages, but also attachments.

This is another instance where Yahoo is on top of the game, instead of Google. Everywhere else they are playing catchup.

Competition is good.

Search for c/c++ code

grant — Tue, 09 Aug 2005 20:06:00 +0000

C Source Search is a new tool that makes it easy to search for pre-written open source code that can help you do your project without re-inventing the wheel.

Most of the code is GPL, so you won’t be able to use it in commercial applications (unless it is for internal use only).

Also, the server is a poor old Celeron so don’t expect any blazingly fast searches.