My first dabble into an e-commerce site for a customer was a couple of years ago, but the site is still up and running and a lot of the code is the basis for the new e-commerce sites I put in now. I've recently given the guy a much improved shopping basket and moved him over to a new database and then whilst I was on holiday, his site content vanished.
Luckily, having moved him to the new database I'd also left the copy on the old database so was able to restore most of the site - just a few days' changes for him to rerun. But I've been investigating why everything has been deleted.
Looking through his server archives, ia_archiver somehow managed to get into his admin system. Not sure how it found the admin system (presumably because one of the machines I've tested the admin changes on has the Alexa Toolbar installed) and no idea how it got through the password protection. But it fopund it's way to the category and item delete pages and called all of them.
Each of these is protected by checking the cookie at the top of the page and redirecting to the home page if not set. But either ia_archiver has managed to get hold of the password and set it's cookie, or the PHP redirect has been blocked and the code allowed to continue.
Fixes are needed! Late into the night last night I was changing every e-commerce site to add the admin pages to the blocked pages within the robots.txt file. And I'll have to review how the admin systems handle the cooke check (e.g. only sign onto database if cookie check is OK...). This site is also unlucky in that the items are listed with links next to them - on most of the e-commerce admin systems it's a dropdown box, which should also halt the search engines.
Lot's of work needed for me. What a lovelly job to get back to after my holiday!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment