ia_archiver Bypassed Login Form
January 2nd, 2010 by moonpixel

Recently I came across 2 cases where website’s admin area was accessed by an “intruder”. In both cases the login credentials were known only to the administrator and this was in both cases a different person.

The first site was a simple online questionnaire with a custom CMS for managing the questions created by some company. Here the “intruder” managed to get in the admin area and delete most of the questions.

The second site was only a testing “playground”, it was based on the Zend Framework’s MVC, but not completed yet. Here the “intruder” managed to send an email from the admin area’s mailer.

In both cases the authentication was done using Location headers. I did have a look in the Apache access logs and found this:

1

174.129.121.101 - - [02/Jan/2010:00:22:19 -0600] "GET /admin/question/edit/id/81 HTTP/1.0" 200 9330 "-" "ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)"

Which apparently is Alexa’s crawler, and apparently it had ignored the Location header. The delete question and send mail were done as links (< a href=” … ) as opposed to buttons (< input type=”button” … ).

I decided to deny access to the admin area to all bots. And in the site’s root I did put in a “robots.txt” file with following:

1
2

User-agent: *
Disallow: /admin/

Also because in both cases the site is administered by a single person from a single location I did also decide to restrict access to the admin area by IP. Into the admin folder I did put a “.htaccess” file, where 11.111.111.111 is my IP:

1
2
3
4
5
6
7
8
9

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from 11.111.111.111
</LIMIT>
Related Posts
  • Flexible CSS - Combining Classes vs Descendant Selectors Separating semantic and presentational code is a great idea, however sometimes it's worth not going 100% by the book. For content like text and images I am finding, that a bit more HTML (XHTML) markup can save lots of time in the long run. For example a floated image and......
  • Resize Text Field - AS3 Draggable Resizable Input Text Field Draggable, resizable Input Text Field with Actionscript 3. Text Field gets resized in particular direction by dragging one of its corner handles. [SWF]http://swf.moonpixel.com/091217-resizeable-input.swf, 300, 200[/SWF] package { import flash.display.Sprite; import flash.text.TextField; import flash.text.TextFieldType; import flash.events.MouseEvent; import flash.utils.Timer; import flash.events.TimerEvent; public class ResizableTextField extends Sprite { private var textCustomField:TextField; //handles private......
  • Flash AS3 Links Made Easy - AS3 Link Class - Download Many times when creating banners with multiple clickable areas, it's a pain to do an event listener for each and a function to navigate to that particular URL. I needed something faster and created a "dead simple" as3 link class, which allows creating as3 links in 1 line. You can......
  • WPMU Install - Simple Steps I've installed so far around 30 single WP installs and decided to give WPMU finally a go. I normally have locally a folder with the latest release of WP, with all the plugins I install as default already prepared in the /wp-content/plugins/ directory. So I just upload it all in......
  • Custom Facebook Fan Page - Simple Steps Creating a custom designed facebook fan page using the Static FBML app: Log into your FB account and go to http://www.facebook.com/pages/manage/. Click + Create Page Select category, give it a name, create the page Go to http://www.facebook.com/apps/application.php?id=4949752878 Click Add to my page Select the page you have just created Click......
Related Websites
  • Why Payday Loans Payday loans are available supposedly to help the financially struggling souls. The downside is it is another strategy to take advantage of the struggling. When a person takes out a payday loan, the borrower writes a voided check to the loaner. The check amount includes the amount borrowed and fee......
  • Google PR Is Case Sensitive After a little digging up, I found enough evidence to believe that... Google searches are never case sensitive - as we already knew.Google PR is case sensitive - as I suspected, according to web standards, URLs are case sensitive. Google and other search engines follow this standard.There have been......
  • Jagger, Google Analytics, And The Future Of Search & SEO Two big things have just happened in Google-land: Jagger and Google Analytics. Together, these two events may have changed the face of search forever. Jagger First, let's discuss Jagger... Just like hurricanes, Google updates have names. (A Google update is a change to the way Google determines its rankings. Google......
  • Wordpress Backup Wordpress Backup is an essential plugin for all Wordpress blog administrators by the Blog Traffic Exchange. It performs regular backups of your upload (images) current theme, and plugin directories. Backup files are available for download and optionally emailed to a specified email. Don't get caught without a recent backup of......
  • A Do It Yourself SEO Trick That Will Work Miracles It is hard to imagine do-it-yourself search engine optimization actually working. It is even more difficult to believe that it can be done using mostly free tools. But then that is one of the really wonderful things about the World Wide Web - there are so many different ways of......

Tags: , , ,

This entry was posted on Saturday, January 2nd, 2010 at 5:37 am and is filed under seo. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply