Thursday, 4 May 2006

Programmer Humour/Horror

I could just be terribly slow, but I've only now discovered The Daily WTF. It's a forum with a daily discussion of some programming horror or other. It is, by turns, hilarious and scary. The bulk of people who come here probably won't understand a great deal of it. Although I'm sure one or two of you, if you haven't seen it before, will probably spend an inordinate amount of time reading it, laughing, trying to remember if you've done anything like that and then forwarding links to people who will cringe along with you. If you find the following amusing and yet eerily familar, it's from a story about dissappearing web pages, then the Daily WTF should be in your RSS Feed:
After quite a bit of research (and scrambling around to find a non-corrupt backup), Josh found the problem. A user copied and pasted some content from one page to another, including an "edit" hyperlink to edit the content on the page. Normally, this wouldn't be an issue, since an outside user would need to enter a name and password. But, the CMS authentication subsystem didn't take into account the sophisticated hacking techniques of Google's spider. Whoops.

As it turns out, Google's spider doesn't use cookies, which means that it can easily bypass a check for the "isLoggedOn" cookie to be "false". It also doesn't pay attention to Javascript, which would normally prompt and redirect users who are not logged on. It does, however, follow every hyperlink on every page it finds, including those with "Delete Page" in the title. Whoops.

After all was said and done, Josh was able to restore a fairly older version of the site from backups. He brought up the root cause -- that security could be beaten by disabiling cookies and javascript -- but management didn't quite see what was wrong with that. Instead, they told the client to NEVER copy paste content from other pages.

No comments: