Off topic: a cautionary tale.
Just because it's too much fun to not pass along, and a useful cautionary tale. Fortunately, the person this happened to has a sense of humor about it...
A friend of mine was working on his home web site. It was a bunch of stuff, back-ended by mySQL. He was, for instance, installing a search engine (using htDig) for the content, but it wasn't cooperating and he was trying to figure out why.
Suddenly, the site goes dark. He can't log into it. He starts snooping, he can't get into MySQL. Uh, oh. (oh. No backups, either).
The entire site implodes. He finally gives up, goes into the web logs to see what happens, thinking he got hacked.
Well, not quite.
One of the tools he installed was phpMyAdmin to administer the MySQL stuff. He installed it behind a .htaccess file like you're supposed to. But what he didn't realize was the .htaccess file wasn't working right, letting anything in.
What got in was -- htDig, the search engine. Which happily follows all links, including, if you let it spider phpMyAdmin, the "delete this database" links. Including the database holding all of the MySQL configuration and account info. Which causes MySQL to die. Which...
You get the picture. His search engine got into his database and deleted all of his data, because while it wasn't working, it COULD spider. And it got into an area it shouldn't have gotten into, even though it wasn't linked on the web site.
How's that, you ask? How did HtDIG find it?
Well -- one of the other things he'd added was log processing. Including referer tracking. And one of the links the logs showed was a referer link back to the phpMyAdmin pages. So by spidering the web log data, HtDIG found a link into phpMyAdmin, which was supposed to be password protected but wasn't, which let htDig become a DBA, which let HtDIG delete all of the data...
When you build systems, do you think through the side effects of what you're doing? What are you missing? (and would you have ever figured out why this happened to you? I wonder if I would have.... )
Happy hacking... But be careful out there.
-- Chuq Von Rospach, Architech chuqui@plaidworks.com -- http://www.chuqui.com/
The Cliff's Notes Cliff's Notes on Hamlet: And they all died happily ever after
"CVR" == Chuq Von Rospach <chuqui@plaidworks.com> writes:
CVR> You get the picture. His search engine got into his database
CVR> and deleted all of his data, because while it wasn't working,
CVR> it COULD spider. And it got into an area it shouldn't have
CVR> gotten into, even though it wasn't linked on the web site.Ouch.
CVR> Happy hacking... But be careful out there.Thanks Sgt Esterhaus! :) -Barry
On Tue, 30 Jul 2002, Chuq Von Rospach wrote:
What got in was -- htDig, the search engine. Which happily follows all links, including, if you let it spider phpMyAdmin, the "delete this database" links. Including the database holding all of the MySQL configuration and account info. Which causes MySQL to die. Which...
I've thought for a while that phpMyAdmin was making a mistake with GET links for all those actions--they should be POST buttons, and spiders would not be able to do this.
-Dale
"DN" == Dale Newfield <Dale@Newfield.org> writes:
DN> On Tue, 30 Jul 2002, Chuq Von Rospach wrote:
>> What got in was -- htDig, the search engine. Which happily
>> follows all links, including, if you let it spider phpMyAdmin,
>> the "delete this database" links. Including the database
>> holding all of the MySQL configuration and account info. Which
>> causes MySQL to die. Which...
DN> I've thought for a while that phpMyAdmin was making a mistake
DN> with GET links for all those actions--they should be POST
DN> buttons, and spiders would not be able to do this.We had this discussion a while back w.r.t. Mailman's web confirmation pages. It was pointed out (forcefully ;) that GETs shouldn't have side effects, and should be reproducible, so the web confirmations were turned into POSTs. Sounds like phpMyAdmin is violating the conventions.
As an added precaution, for non-undoable actions like deleting a list, Mailman requires the list admin password, even though it knows you're authenticated.
-Barry
participants (3)
-
barry@python.org -
Chuq Von Rospach -
Dale Newfield