Google code search(for noob)

[whats...@gmail.com]

Great news for the uber h4x0r / r00t3r / d3f4c3r and for those who
hack when they feel low, depressed or have nothing else to do. There's
new service by Google Labs called "Google code search (http://
www.google.com/codesearch)" that sneaks into all open source code on
the web; making exploit archives and bug track databases nearly
obsolete.

Most of the times, in fact every time developers prefer use maintained
open source libraries instead of re-inventing the wheel but seldom
audit the code that they actually use. From full-fledged applications
like phpBB to a tiny utility library like number2words, nearly 50% of
the code isn't actually written by the developer. Since such code is
distributed for free, there is no obligation on the developer/
maintainer of that code to make it secure or even fully functional.
Meaning that most of the web is weak and patchy.

Imagine a search for "include($_GET" that would reveal dozens of
widely used open source projects with such an obvious remote file
inclusion vulnerability. Search for "mysql_query" "SELECT * FROM"
"$passwd" and you could find dozens of sql injection vulnerabilities
in authentication modules of many well known open source projects.

For example, when you search for "include($_GET", OpenEngine's CMS is
one of the applications that would test positive for this
vulnerability. Google will spot the bug and return:
**************************************************
openengine18/cms/system/03_admin/start.php - 1 identical

19: {
include($_GET["admin"]."/index.php");
}
www.openengine.de/html/downloads/openengine18.zip - GPL - PHP
**************************************************
There would be many more results with similar vulnerabilities up in a
menu for you to choose the sweetest target.

Keywords "todo" and "security" would list many programs that have
unimplemented security features. You can also search through the
directory structure and archives/packages on the file system which
means you can find files with keywords "confidential" and
"proprietary" that will pinpoint code that has been improperly
released. And, searching for the function "gets" can reveal programs
with buffer-overflow vulnerabilities. Although google code search will
only sneak into published code, the magnitude of the situation is way
beyond calculations because you don't see what vulnerabilities a
particular application has, instead you see all the applications that
have a particular kind of vulnerability.
Until now majority of the security flaws used to go unnoticed and only
a few would really stand out. But now, Google code search exposes the
weak strings of the World Wide Web in its entirety.