#10 trace.php is EVIL

closed-fixed
Andreas Goetz
core (18)
5
2006-01-09
2005-05-13
Guilherme Ramos
No

Hello,
I've been using VideoDB for some time now.. it's a very
good program.. But lately I've noticied that my cache
was filling up very fast....and that's odd because
mostly only I go to my movie page (but it's opened to
the public)..

Than I looked at my server logs, and saw that trace.php
was responsable for a LOT of bandwich usage... more
than everything else. I then found out that someone
actually used it to browse pages other than IMDB.. he
just keep browsing, with that bar.
So I rushed to disable access to IMDB... that'll
probably solve it.. I also removed access for people
without a password..

While doing this, I found out something... even if you
restrict to registered users, and configure videoDB to
NOT access IMDB inside your site, if you just use the
url /trace.php?videodburl=XXX you can STILL use it.. I
think trace.php needs a security check also.. Because
somehow, after disabling everything, people keep coming
to this file (so I just deleted it).

Discussion

  • Andreas Goetz
    Andreas Goetz
    2005-09-07

    Logged In: YES
    user_id=391980

    Are you running latest CVS version?

     
  • Andreas Goetz
    Andreas Goetz
    2005-09-07

    • assigned_to: nobody --> andig2
     
  • Andreas Goetz
    Andreas Goetz
    2006-01-09

    Logged In: YES
    user_id=391980

    No response, added option to restrict to local site.

     
  • Andreas Goetz
    Andreas Goetz
    2006-01-09

    • status: open --> closed-fixed