On Tuesday 10 October 2006 16:30, Matt Quackenbush wrote:
Hmm... okay, so the issue that is being referred to here is when the
login check is handled AFTER that link is displayed?
No, no, no - it's much worse.
The Google accelerator thing looks at the page loaded in the browser (which
On Tuesday 10 October 2006 16:51, Matt Quackenbush wrote:
main question now is: what is considered the best antidote for such a
problem. Since I didn't know what it was, I obviously don't use web
Don't use HTTP GET (links) for things that have side effects use them for
views.
Use HTTP POST
You hit it..
it was the web accelerator.
I now know that I should not let a simple clicked link change
anything. Both of these sites were written in cold fusion version 2
and 3 when I didn't know better:) WAY too many pages to go back and
change them now. I thought since it was password
-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 10, 2006 9:27 AM
To: CF-Talk
Subject: RE: Strange security problem with googlebot
You hit it..
it was the web accelerator.
I now know that I should not let a simple clicked link change anything.
Both of these sites were
On Tuesday 10 October 2006 15:50, Matt Quackenbush wrote:
Okay, call me silly, but what kind of code exactly can cause this problem?
a href=/site/secure/admin/user.cfm?action=del?id=2436Delete this user/a
--
Tom Chiverton
Helping to assertively utilize leading-edge relationships
the appropriate credentials, and b) how a bot would get past a
login/credential check.
Thanks,
Matt
-Original Message-
From: Tom Chiverton [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 10, 2006 10:16 AM
To: CF-Talk
Subject: Re: Strange security problem with googlebot
On Tuesday 10
Matt Quackenbush wrote:
Hmm... okay, so the issue that is being referred to here is when the
login check is handled AFTER that link is displayed? I guess I'm still a
bit confused, because I can't understand a) why any such link would be
displayed to anyone (or any bot) without them first
Hmm... okay, so the issue that is being referred to here
is when the login check is handled AFTER that link is
displayed? I guess I'm still a bit confused, because I can't
understand a) why any such link would be displayed to anyone
(or any bot) without them first being logged-in and
, 2006 10:46 AM
To: CF-Talk
Subject: RE: Strange security problem with googlebot
Hmm... okay, so the issue that is being referred to here is when
the login check is handled AFTER that link is displayed? I guess I'm
still a bit confused, because I can't understand a) why any such link
Thanks for the reply. I guess I first should've gone and
checked to see what 'web accelerator' was, and then I might
have understood. I guess my main question now is: what is
considered the best antidote for such a problem. Since I
didn't know what it was, I obviously don't use web
Yes, since the Web Accelerator only makes GET requests. In HTTP, GET requests
shouldn't make changes; only POST requests should do that.
Dave
I am just playing with this in my head. Would a form with method=get be
affected by the accelerator, or only anchors with get parameters built in to
I am just playing with this in my head. Would a form with
method=get be affected by the accelerator, or only anchors
with get parameters built in to the href parameter?
I haven't used it, so I can only speculate. That said, I suspect that it
only follows A tags.
Dave Watts, CTO, Fig Leaf
Actually, in my defense:)
the web accelerator is not supposed to follow a link that has a
query parameter... and it worked correctly for a long
time.. apparently a recent update to it introduced a bug where it IS
following links with query parameters. I reported it to google.
It
I don't know how this could possibly happen...
on 2 of my websites, someone hacked into the admin areas and
changed hundreds of things by clicking links. I log every action
taken, along with the ip address of who did it and traced back the ip
to googlebot.
I was using IIS basic
I don't know how this could possibly happen...
on 2 of my websites, someone hacked into the admin areas
and changed hundreds of things by clicking links. I log
every action taken, along with the ip address of who did it
and traced back the ip to googlebot.
I was using IIS basic
15 matches
Mail list logo