Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

How did GoogleBot get access to the (presumably) private admin panel to crawl the links in the first place? Also, these sort of things require server-side authentication, not just JS. Just because GoogleBot won't crawl your PUT requests doesn't mean others won't -- including users (malicious or otherwise)! Just sayin'.


If I recall correctly the code looked something like this:

<?php

if (!admin())

  echo "<script>window.location = '/signin';</script>";
delete_bid($_GET['bid_id']);

?>


When you think about it it's actually pretty elegant -- if your purpose is to write something that appears to work but will do the worst possible thing when crawled.


Something like the underhanded C contest then?


I don't understand. Was it supposed to delete the thing anyway, and then redirect if the user wasn't an admin?


a simple 'else' would have at least stopped the deleting part :/


This could have been written in the mindset that JavaScript and PHP ran at the same time. Lots of people still believe that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: