This happened on a small site with a user admin system that's password
protected. Seems Googlebot managed to get into the admin system last
night, started crawling admin pages, and ended up munging half the database:
1. Clicking "archive" or "mark inactive" buttons on admin area
index pages
2. In a few cases, actually seemed to SUBMIT a form, updating data.
I'm still scratching my head over how Googlebot got into the admin
system to start with. It looks legit from the logs. The IP address,
user-agent and everything else checks out.
Luckily, this isn't a mission-critical site, and database backups are
done nightly, but now it's got me worried for other sites. Googlebot has
*never* caused any problems with password protected admin systems
before, my "robots.txt" file usually excludes the admin folder (and you
can be sure I'm checking the ones I'm not sure about right now) and the
login stuff I use I thought was pretty standard.
My login code is below. Tell me I'm a complete idiot.
So,
1. Anybody else have this problem recently?
2. I'm an idiot I guess, how *should* I be doing my login systems?
(One site on CF8, others still CF7)
4. If you're doing anything like I am, then maybe we're *all* idiots at
this point and need to redo our login pages to use whatever somebody
much smarter than I says to do in #2 above.
---------------------------------------------
Application.cfm page for the admin folder:
---------------------------------------------
<!--- Define that this user is logged out by default --->
<CFPARAM NAME="session.allowin" DEFAULT="false">
<!--- Define this user id to zero by default --->
<CFPARAM NAME="session.user_id" DEFAULT="0">
<!--- If the variable "session.allowin" does not equal true, send user
to the login page --->
<cfif session.allowin neq "true">
<cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "../admin_login.cfm">
<cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm">
<cfelse>
<!--- Not logged in, alert user and redirect --->
<script>
<!---alert("You must login to access this area!");--->
self.location="../admin_login.cfm";
</script>
</cfif>
</cfif>
---------------------------------------------
login_process page:
---------------------------------------------
**QUERY TO CHECK USER/PASS HERE
<cfif Verify.RecordCount>
<!--- logged in ... set the value of the session.allowin value --->
<cfset session.allowin = "True" />
<cfset session.user_id = Verify.id />
<script>
self.location="idx_admin.cfm";
</script>
<cfelse>
<!--- not logged in, redirect to the login page --->
<script>
alert("Your credentials could not be verified, please try
again!!!");
self.location="../admin_login.cfm";
</script>
</cfif>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319536
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
