Internet Connected Applications and Search Engines
Oracle E-Business Suite self-service applications are often connected to the Internet for direct access by customers, suppliers, and employees. Using search engines (Google, Altavista, etc.) and simple search phrases, hackers can quickly find instances of the Oracle E-Business Suite to attack. All Internet accessible instances of the Oracle E-Business Suite should be shielded from web crawlers and indexing services.
Integrigy Security Alert
______________________________________________________________________
Internet Connected Applications and Search Engines
October 3, 2002
______________________________________________________________________
Summary:
Oracle E-Business Suite self-service applications are often connected to the Internet for direct access by customers, suppliers, and employees. Using search engines (Google, Altavista, etc.) and simple search phrases, hackers can quickly find instances of the Oracle E-Business Suite to attack. All Internet accessible instances of the Oracle E-Business Suite should be shielded from web crawlers and indexing services.
Product: Oracle E-Business Suite
Versions: All versions
Platforms: All platforms
Risk Level: Medium
______________________________________________________________________
Description:
Search engines like Google and Altavista, use web crawlers to find web pages to index. Most of the search engines (including Google and Altavista) have the capability to search for specific URL’s. Using this search feature, a hacker can quickly find all the indexed Oracle Applications login pages.
A survey conducted by Integrigy identified over 40 sites running Oracle Applications – all fully accessible from the Internet. No tests for vulnerabilities where performed.
Once a site has been identified, the hacker can attempt to exploit the application. Several published vulnerabilities exist where using only a web browser, arbitrary data can be retrieved from the database.
Solution:
Use as many search engines as possible to look for your servers. Each search engine has the capability to narrow the search to a specific domain (i.e., example.com) or to even a specific server. Even if your servers can not be found, this does not mean a search engine will not locate them in the future. Additional searches should be performed looking for documentation or links that may appear on related web pages with the URL of your server – often training or IT websites may contain such information.
There are two solutions to this issue which provide at least minimal protection from a site being indexed by search engines.
1. Robots.txt
The robots.txt is used by many search engines (however not all) to limit inclusion into their databases. Web crawlers look for a robots.txt file in the web server root directory (i.e., http://sun.example.com/robots.txt). The robots.txt should contain the following lines, which will stop most web crawlers from looking at any pages on the server –
User-agent: *
Disallow: /
If the server has already been indexed, it may take several weeks for server to be “crawled” again and removed.
2. Firewall Filtering
A more complicated solution is to setup appropriate filtering on firewalls and routers to block unauthorized access to these servers.
For sites already indexed by a search engine, contact the individual search engine to have the URL of the site removed. This will only affect the server running Oracle Applications (e.g., sun.example.com) and not any other websites in your organization.
These solutions only provide limited protection as many hackers use automated scanning tools to search the Internet for vulnerable servers. Any servers directly connected to the Internet must be sufficiently hardened and monitored on a continuous basis.
Additional Information:
Excluding Robots - http://www.robotstxt.org/wc/norobots.html
Popular Search Engines
www.google.com – Search Phrase = “allinurl: icxindex htm”
www.altavista.com – Search Phrase = url:icxindex.htm
www.alltheweb.com – See advanced search
www.hotbot.com – See advanced search
www.teoma.com – Search Phrase = inurl:ICXINDEX.HTM
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.