Google knows your joomla passwords!
Published by Evil Bee Monday, 09 October 2006 10:30
Well maybe, Now I have got your attention, read the following information published by the Joomla Core team.
Joomla! Developer Network
It has come to our attention that Google has released a new product, Google Code Search, that is capable of indexing and crawling through archive files stored in the public directories of web servers. We are reporting this as a security advisory because we have discovered that some site administrators are storing archives / backups of their website in the web root. Because of this, Google Code Search is able to crawl the archives and read unparsed PHP files as if they were plain text. This has resulted in the disclosure of some sensitive information including MySQL passwords and SMTP credentials.
We felt that it was necessary to release a general advisory now in order to warn the sites that have been exposed as well as to protect and educate our users on some best practices in order to keep your site secure.
1. Never store a backup or archived version of your website in a web server’s public readable directories.
2. Do not leave files that you do not want to be read/indexed/searched/downloaded in the web root.
3. If it is absolutely necessary, make your hosting provider disable directory index generation for that directory.*
4. Password protect directories that contain sensitive information.
Futhermore, if you think your site’s login credentials may have been compromised in this way, please remove the backups / archives stored in the web root, change all of the associated passwords, and if necessary, ask your hosting provider to restore your site from a previous backup and be sure that they clean up after themselves and remove the archive that they used to restore your site.
If you would like more proactive protection against the indexing and downloading of related archives, please see this thread in the Joomla! Security Forums where some discussion is being held on how to protect yourself from these problems. http://forum.joomla.org/index.php/topic,101880.0.html
* Directory Indexing is a feature of mod_dir, an Apache module that will generate a list of all files in a directory if there is no index.html/php/etc file found in that directory. This is most likely how the archives are being found by Google Code Search.