Insecure Polish goverment’s sites

After a few simple queries in Google I have to conclude that Polish government sites aren’t secure enough. We can easily use “Google Hacking” to access a range of  information about server paths, databases configurations etc. Because of my findings I decided to write a post about “secure error reporting” in web applications. Error reporting in Web applications is essential for software developers. Without it finding bugs in their code would be very difficult. Unfortunately, developers tend to forget to switch off this error reporting when the site or application goes live on the production server. So what? By default the PHP language returns all errors, warnings and notices to a browser. And this is great while you are developing and testing, but it means a potential security breach for the live application. Error reporting enabled on a production server is a security hole! Potential attackers can get a lot of information from error and warning messages. Finding the holes is very simple A very popular technique of finding these holes is Google Hacking. For example, we ask Google for all government sites with a “warning” phrase: “site:gov.pl +warning” or “site:gov.pl +intitle:warning”. These simple queries return many sites with warnings messages that can be used to attack these sites. Of course it is possible to disable error reporting on a production server, but… it is nessecary to know what is going on with that server and its applications. Therefore all errors should be logged, but not visible for the outside world. What should be done?
  • First of all, applications should be developed in a dev enviroment. Error reporting should be enabled at the higest possible level. In PHP I recommend the E_STRICT level. On the production enviroment all ways of communication that can give information about the server or its configuration should be disabled.
  • The application has to be tested. At least unit and functional tests should be performed.
  • The application logs should be frequently checked. All noticed bugs need to be fixed asap.
Conclusion rather shocking The result of this simple reasearch is rather shocking. One of the government’s main duties in the information age is to protect confidential data of its citizens. But in practice you can easily breach government systems. It is rather easy to access important information (sometimes even login and password to servers) without any special knowledge. You only have to know how to use Google and other search engines, just because someone didn’t bother to implement basic security measures when installing applications on a production server (in important goverment applications)!