Monday, October 26, 2009

Re: Google Bot deleting my database entries!

Your add action has auth but in your app_controller.php did you add
any auth for "delete" action too ?


http://doidata.net/contributor_roles/delete - Invalid id for
ContributorRole : this is wide open...

Andras

On Oct 26, 2009, at 5:36 PM, audioworld wrote:

>
> Hello Andreas, thanks for checking,
>
> but as you can see from the app_controller above, I think I
> implemented the authentication properly.
> what you see at the link is just the "index" action, but when you
> klick on an "add" action:
> http://doidata.net/contributor_roles/add
>
> there is the correct error message:
> "your are not allowed to acces this page"
>
> so it is still unclear to me how the delete action can be used without
> authentication...
>
>
> On 26 Okt., 22:27, Andras Kende <and...@kende.com> wrote:
>> Hello,
>>
>> Your site is not password protected so google robot just crawling
>> through the delete links..
>>
>> http://doidata.net/contributor_roles/
>>
>> Andras
>>
>> On Oct 26, 2009, at 4:36 PM, audioworld wrote:
>>
>>
>>
>>> I have a basic database management online athttp://doidata.net
>>> The access to the admin section is secured with a simple
>>> authentication which is hardcoded in the file /config/core.php
>>> In theory, when someone without the admin cookie set, access to the
>>> routes
>>> ../resource/delete/ID
>>> should be blocked. However, when I try this URL in the browser, it
>>> really works WITHOUT atuhentication, and the database entry is
>>> deleted!!! This was demonstrated last night by Google Bot which
>>> seems
>>> to try our every possible route, and deleted most of my entries..
>>
>>> here are some lines from the APACHE acces log:
>>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /
>>> contributor_roles/
>>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
>>> 2.1; +http://www.google.com/bot.html)"
>>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /
>>> contributor_roles/
>>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
>>> 2.1; +http://www.google.com/bot.html)"
>>
>>> I am very thankful for any help to lock up my database edit/delete
>>> access,
>>> thanks, karl.
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)