[VIM] Googlebot Destroys Morons Website (fwd)

security curmudgeon jericho at attrition.org
Wed Mar 29 10:17:03 EST 2006

Amusing and interesting. Wonder what CMS he was using =)

---------- Forwarded message ----------
From: Dude VanWinkle <dudevanwinkle at gmail.com>
To: FunSec LList <funsec at linuxbox.org>
Date: Wed, 29 Mar 2006 05:44:10 -0700

Things went pretty well for a few days after going live. But, on day
six, things went not-so-well: all of the content on the website had
completely vanished and all pages led to the default "please enter
content" page. Whoops.

Josh was called in to investigate and noticed that one particularly
troublesome external IP had gone in and deleted *all* of the content
on the system. The IP didn't belong to some overseas hacker bent on
destroying helpful government information. It resolved to
googlebot.com, Google's very own web crawling spider. Whoops.

After quite a bit of research (and scrambling around to find a
non-corrupt backup), Josh found the problem. A user copied and pasted
some content from one page to another, including an "edit" hyperlink
to edit the content on the page. Normally, this wouldn't be an issue,
since an outside user would need to enter a name and password. But,
the CMS authentication subsystem didn't take into account the
sophisticated hacking techniques of Google's spider. Whoops.

As it turns out, Google's spider doesn't use cookies, which means that
it can easily bypass a check for the "isLoggedOn" cookie to be
"false". It also doesn't pay attention to Javascript, which would
normally prompt and redirect users who are not logged on. It does,
however, follow every hyperlink on every page it finds, including
those with "Delete Page" in the title. Whoops.

More information about the VIM mailing list