The access to the admin section is secured with a simple
authentication which is hardcoded in the file /config/core.php
In theory, when someone without the admin cookie set, access to the
routes
../resource/delete/ID
should be blocked. However, when I try this URL in the browser, it
really works WITHOUT atuhentication, and the database entry is
deleted!!! This was demonstrated last night by Google Bot which seems
to try our every possible route, and deleted most of my entries..
here are some lines from the APACHE acces log:
66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
2.1; +http://www.google.com/bot.html)"
66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
2.1; +http://www.google.com/bot.html)"
I am very thankful for any help to lock up my database edit/delete
access,
thanks, karl.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment