ia_archiver Bypassed Login Form

Recently I came across 2 cases where website’s admin area was accessed by an “intruder”. In both cases the login credentials were known only to the administrator and this was in both cases a different person.

The first site was a simple online questionnaire with a custom CMS for managing the questions created by some company. Here the “intruder” managed to get in the admin area and delete most of the questions.

The second site was only a testing “playground”, it was based on the Zend Framework’s MVC, but not completed yet. Here the “intruder” managed to send an email from the admin area’s mailer.

In both cases the authentication was done using Location headers. I did have a look in the Apache access logs and found this:

1 - - [02/Jan/2010:00:22:19 -0600] "GET /admin/question/edit/id/81 HTTP/1.0" 200 9330 "-" "ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)"

Which apparently is Alexa’s crawler, and apparently it had ignored the Location header. The delete question and send mail were done as links (< a href=” … ) as opposed to buttons (< input type=”button” … ).

I decided to deny access to the admin area to all bots. And in the site’s root I did put in a “robots.txt” file with following:

User-agent: *
Disallow: /admin/

Also because in both cases the site is administered by a single person from a single location I did also decide to restrict access to the admin area by IP. Into the admin folder I did put a “.htaccess” file, where is my IP:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
order deny,allow
deny from all
allow from