Aliaspooryorik Musings

• Categories

  • Apache (6)
  • CFEclipse (2)
  • Coldbox (1)
  • ColdFusion (116)
  • ColdFusion on Wheels (3)
  • DevonCFUG (10)
  • EXT JS (1)
  • Fusebox (24)
  • IIS (2)
  • jQuery (15)
  • Off Topic (10)
  • OOP (13)
  • Resources (6)
  • Reviews (3)
  • SQL (22)
  • Subversion (2)
  • All Categories

• Recent Posts

  • The Art & Science of CSS -- Free eBook
  • Subversion Hooks on Windows
  • FAQU Volume 3 Issue 1 Out Now!
  • Installing SQL Server 2008 Express
  • FLV and IIS 6
  • New getFieldLengths method for DataMgr
  • Maximum list values for cfqueryparam
  • IISPassword for IIS 6.0
  • European and US formatted currency
  • OOP Terminology : Part VIII - Service Layer

• Popular Posts

  • jQuery table sorting & paging
  • ASP is better than ColdFusion (Not really!)
  • 2 dimensional arrays
  • Installing SQL Server 2008 Express
  • Expanding menus with jQuery
  • Abstract Class as an Interface
  • Book Review: jQuery In Action
  • CFEclipse keyboard shortcuts
  • Use Subqueries - they are fast!
  • OOP Terminology : Part VIII - Service Layer

• Archives

  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • August 2007
  • March 2007

• Links

  • carehart.org UGTV
  • corfield.org
  • Devon CFUG
  • ColdFusion Bloggers

Security Compromised by The Yahoo Toolbar

August 12, 2008

If you or your clients use The Alexa or Yahoo toolbars then you might be compromising the security of their website without knowing it. Unlike search engines which crawl the web by following links, the toolbars record the pages that you visit. This is all well and good (if you don't mind your surfing habits being recorded) but what happens if you visit a private page? Well, that information is still sent to Alexa and shows up in their search results.

I did think long and hard about whether or not to post these links as it will give a few bedroom hackers something to play with, but as these techniques are already being used, I figured that if I make at least one site more secure then it is worthwhile. Here is a simple example of finding the ColdFusion Administrator Login screen.

http://www.alexa.com/search?q=inurl:CFIDE%20%22ColdFusion%20Administrator%20Login%22

I've also noticed that some people actually add links to the ColdFusion Administrator in their public delicious bookmarks.

http://delicious.com/search?p=ColdFusion+Administrator+Login&u=&chk=&context=&fr=del_icio_us&lc=0

Come on guys - think about what you're doing!

If you think this is bad, it gets a whole lot worse. By using the advanced search capabilities of Alexa it is possible to view full lists containing names, email address and postal addresses of site users. How? Well I'm not going to post the link for that one, but basically what is happening is a CSV is being uploaded or created online. A user with the toolbar installed views the CSV in their browser and voilà - it is now recorded and will appear in search results.

How to prevent it.

Here are some suggestions.

• Don't use delicious to bookmark pages you don't want people to find.
• Only allow static files to be downloaded via a script so you can authenticate the request.
• Set up webserver level security on directories that contain private files.
• Store private files outside the web root.
• Delete files you no longer need (for example after an import/export)
• Uninstall the toolbar and tell your clients to do the same!
• If you must use the toolbar, then I believe you can choose to exclude certain sites.

• Posted in:
• ColdFusion

2 comments

1. So if you have a robots.txt file on the site, does it ignore it?
   
   Comment by Jason Dean – August 12, 2008
2. Hi Jason. Good question and I'm afraid I don't have the answer!
   
   I've just tried some of the sites that come up in the listings and none of them exclude the directory - in fact most don't have a robots.txt file at all.
   
   If anyone knows please tell us!
   
   Comment by John Whish – August 12, 2008

Leave a comment

If you found this post useful, interesting or just plain wrong, let me know - I like feedback :)

Please note: If you haven't commented before, then your comments will be moderated before they are displayed.

Powered by Fusebox 5.5.1 & XML free!

Copyright © 2008 John Whish / www.aliaspooryorik.com