Friday, August 1, 2008

Admin Interface on the Web - It Boggles the Mind

As system administration has matured and information technology has come along over the past decade or so we've learned many things which appear to go in one ear and then out the other. Most of these deal with secure systems design, and basically how to keep from making yourself an easy target for hackers.

With that glowing in the back of my mind like a energy-saving lightbulb I went on a hunt for things that should not be available on the web.

First off, I think I've had this debate with people so many times it hurt my brain - but administrative interfaces to applications, appliances, or widgets simply shouldn't be available to the general web-based casual viewer. Worse yet, it should definitely *not* be index-able with a search engine.

With that in mind, I decided to give Google a chance to see how many people still allow open, administrator pages on the 'net. Granted, sometimes you just can't help this, right... but if I can index your admin page, and your authentication mechanism isn't well-built... it's only a matter of time before I pwn you. Check it out for yourself, go to Google, and use this search term "inurl:"admin" intext:administrator login" and see what you get. Scarry, huh? How many of these systems that you find do you think you can grind away at until you guess a password via brute-force?

Common boys and girls... you should *not* put an admin interface on the general net, that's what we have VPNs for, and management networks. *sigh*.


Michael Janke said...

Or -

Think how many of these systems still have default passwords.

On the other hand, it makes it way easier to find all my administrative interfaces after my bookmarks files gets corrupted.

Let me think....URL filtering with a load balancer, IP address filtering with your web server, binding the admin interface to a different, firewalled port....

Yep I guess there is no excuse.


Christian "@xntrik" Frichot said...

Couldn't agree with you more, just crazy. It's not even surprising any more when almost every single vulnerability assessment and/or penetration test highlights this glaring exposure. And are they ever protected by more than just a password? Hell no!