1

Topic: Warning : Security problem with google webaccelerator

PunBB administrators :
DO NOT use google webaccelerator ( http://webaccelerator.google.com/ ) while you are one your forum.

There is a security problem.

This is not a PunBB bug, it can appear with other forum or websites with personnal data cached.

http://groups-beta.google.com/group/Goo … b558802c4/

[David:moua]

Re: Warning : Security problem with google webaccelerator

If that's true, all hell is going to break loose.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Warning : Security problem with google webaccelerator

How can I block it easyly ? With an .htaccess ?

Sorry for my french english.
GT4 Club driver France & Forum - Lingerie.

4

Re: Warning : Security problem with google webaccelerator

If you're on a broadband connection already, then I don't see the advantage of using a proxy.

I used to run squid on my server and directed all web traffic through it. When we were on dial-up it was a great help but once we switched to DSL, it got in the way.

So anyone using the Google accelerator can become admins on phpBB forums, let the fun begin smile

Re: Warning : Security problem with google webaccelerator

i just had a go with it, btw for you to be an admin an admin on that forum also has to use it since its a caching bug, and it really is fast, you notice sites loading instantly and images taking much longer than normal to catch up

Re: Warning : Security problem with google webaccelerator

Connorhd: Fine, just don't use it in these forums. At least not until it's fixed/considered safe.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Warning : Security problem with google webaccelerator

So if I use this to sign on to my site as Admin, other people that use the accelerator will be able to gain access to the admin section of my forums?

8

Re: Warning : Security problem with google webaccelerator

Connorhd wrote:

you notice sites loading instantly and images taking much longer than normal to catch up

How is that good? Modern designs need to the images to work out where to put everything. It seems to me this will just amplify rendering/timing bugs particularly in Gecko browsers.

Re: Warning : Security problem with google webaccelerator

Paul wrote:
Connorhd wrote:

you notice sites loading instantly and images taking much longer than normal to catch up

How is that good? Modern designs need to the images to work out where to put everything. It seems to me this will just amplify rendering/timing bugs particularly in Gecko browsers.

i didn't say it was good, its actually rather freaky and annoying tongue

10 (edited by erissiva 2005-05-06 15:47)

Re: Warning : Security problem with google webaccelerator

It's even worse than I thought...Apparently GWA works by caching all pages (repeat ALL) you view on a central server. This includes pages that are password protected, email you read, private journal entries, or cradit-card statements.

The server then makes these pages availible for anyone else who goes to the same address with GWA on.
So, even if you password protect a forum - someone can still read it if it's been viewed by someone with GWA.


Whole article explaining here:

http://www.somethingawful.com/articles.php?a=2858

Re: Warning : Security problem with google webaccelerator

all except https and if your bank is not https get a new one

Re: Warning : Security problem with google webaccelerator

Looks like it might be even worse than "just" getting access to other peoples private pages: http://37signals.com/svn/archives2/goog … igners.php

Re: Warning : Security problem with google webaccelerator

do you think they thought this through? seems very "bodged"

Re: Warning : Security problem with google webaccelerator

Google is crap now, they have moved into so many new things that people download because it's Google but there not very good at any of it.

Why make an app that clicks all the links and ignores javascript warnings... how dumb is that.

anyway, here is fix

class ApplicationController < ActionController::Base
  before_filter :disable_link_prefetching

  private
    def disable_link_prefetching
      if request.env["HTTP_X_MOZ"] == "prefetch" 
        logger.debug "prefetch detected: sending 403 Forbidden" 
        render_nothing "403 Forbidden" 
        return false
      end
    end
end

http://david.backpackit.com/pub/37983

Re: Warning : Security problem with google webaccelerator

Mah!

I need to block GWA from hitting my site, but this code you list is for web applications utilizing Ruby On Rails only. The only other fix I can find is by blocking all IPs using it and sending them a 403. But, this would kill off all visitors wanting to visit my site.

So, is there any other way to prevent GWA from royally screwing up my site? This is like a visrus! This is horrible!

Re: Warning : Security problem with google webaccelerator

http://fantomaster.com/fantomNews/archi … or-update/

Google Web Accelerator (GWA) IP range, namely: 72.14.194.0 - 72.14.194.255

You can block this with your .htaccess file

Re: Warning : Security problem with google webaccelerator

If I don't use GWA, can someone using it still get my log in info just by visiting my site?

18 (edited by scottywz 2005-06-05 22:34)

Re: Warning : Security problem with google webaccelerator

Someone (while I'm at it I guess I may do it) needs to report this to Google.

Admins: DON'T USE GOOGLE WEB ACCELERATOR!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

almost_there wrote:

If I don't use GWA, can someone using it still get my log in info just by visiting my site?

From what I've read, I don't think so, but better safe than sorry.

19 (edited by scottywz 2005-06-05 22:33)

Re: Warning : Security problem with google webaccelerator

chris9902 wrote:

http://fantomaster.com/fantomNews/archi … or-update/

Google Web Accelerator (GWA) IP range, namely: 72.14.194.0 - 72.14.194.255

You can block this with your .htaccess file

they're tryng to let more users in so there may be more users (and new IP addresses) over time.  I reported it by the way.

20 (edited by scottywz 2005-06-05 22:33)

Re: Warning : Security problem with google webaccelerator

chris9902 wrote:

http://fantomaster.com/fantomNews/archi … or-update/

Google Web Accelerator (GWA) IP range, namely: 72.14.194.0 - 72.14.194.255

You can block this with your .htaccess file

I did an IP-range ban.