Internet Connected Applications and Search Engines

Oracle E-Business Suite self-service applications are often connected to the Internet for direct access by customers, suppliers, and employees. Using search engines (Google, Altavista, etc.) and simple search phrases, hackers can quickly find instances of the Oracle E-Business Suite to attack. All Internet accessible instances of the Oracle E-Business Suite should be shielded from web crawlers and indexing services.

Integrigy Security Alert

______________________________________________________________________

 

Internet Connected Applications and Search Engines

October 3, 2002

______________________________________________________________________

 

Summary:

 

Oracle E-Business Suite self-service applications are often connected to the Internet for direct access by customers, suppliers, and employees. Using search engines (Google, Altavista, etc.) and simple search phrases, hackers can quickly find instances of the Oracle E-Business Suite to attack. All Internet accessible instances of the Oracle E-Business Suite should be shielded from web crawlers and indexing services.  

 

Product:    Oracle E-Business Suite

Versions:   All versions

Platforms:  All platforms

Risk Level: Medium

______________________________________________________________________

 

Description:

 

Search engines like Google and Altavista, use web crawlers to find web pages to index.  Most of the search engines (including Google and Altavista) have the capability to search for specific URL’s.  Using this search feature, a hacker can quickly find all the indexed Oracle Applications login pages.

 

A survey conducted by Integrigy identified over 40 sites running Oracle Applications – all fully accessible from the Internet.  No tests for vulnerabilities where performed.

 

Once a site has been identified, the hacker can attempt to exploit the application.  Several published vulnerabilities exist where using only a web browser, arbitrary data can be retrieved from the database.

 

Solution:

 

Use as many search engines as possible to look for your servers.  Each search engine has the capability to narrow the search to a specific domain (i.e., example.com) or to even a specific server.  Even if your servers can not be found, this does not mean a search engine will not locate them in the future.  Additional searches should be performed looking for documentation or links that may appear on related web pages with the URL of your server – often training or IT websites may contain such information.

 

There are two solutions to this issue which provide at least minimal protection from a site being indexed by search engines.

 

1. Robots.txt

 

The robots.txt is used by many search engines (however not all) to limit inclusion into their databases.  Web crawlers look for a robots.txt file in the web server root directory (i.e., http://sun.example.com/robots.txt).  The robots.txt should contain the following lines, which will stop most web crawlers from looking at any pages on the server –

 

      User-agent: *

      Disallow: /

 

If the server has already been indexed, it may take several weeks for server to be “crawled” again and removed.

 

2. Firewall Filtering

 

A more complicated solution is to setup appropriate filtering on firewalls and routers to block unauthorized access to these servers.

 

 

For sites already indexed by a search engine, contact the individual search engine to have the URL of the site removed.  This will only affect the server running Oracle Applications (e.g., sun.example.com) and not any other websites in your organization.

 

These solutions only provide limited protection as many hackers use automated scanning tools to search the Internet for vulnerable servers. Any servers directly connected to the Internet must be sufficiently hardened and monitored on a continuous basis.

 

Additional Information:

 

Excluding Robots - http://www.robotstxt.org/wc/norobots.html

 

Popular Search Engines

      www.google.com – Search Phrase = “allinurl: icxindex htm”

      www.altavista.com – Search Phrase = url:icxindex.htm

      www.alltheweb.com – See advanced search

      www.hotbot.com – See advanced search

      www.teoma.com – Search Phrase = inurl:ICXINDEX.HTM

 

______________________________________________________________________

 

About Integrigy Corporation (www.integrigy.com)

 

Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.

 

For more information, visit www.integrigy.com.

 

Share this post