Thursday, April 3, 2008

Admin directory.... for everyone?

A guy phoned me this morning and explained that he was having problems with his Internet Explorer.
He wanted to update his website with new pictures, but for some reason, the new pictures didn't appear in his browser after he submitted them.
He asked me if I could try it for him instead - this to figure out if it was an issue with Internet Explorer or with his website.
Since I was at my work, I couldn't try it, so I asked him to mail me the link to his site, so I could check it in the afternoon.
I also asked his login+password, because how would I be able to upload images to his site otherwise..? He knows he can trust me...

He: "There's no login and password needed"
Me: "Erm, if there's no login and password needed, how should I upload the pictures then?"
He: "You can do it via the admin panel at my website"
Me: "Ok, but I need the login and password for that"
He: "As I said, it's not needed"

Hmmmmmm... strange.. guess he's missing something...

Back at home, I received his mail with the link to his admin panel : http://*********/admin
(left out the sitename for obvious reasons :) )
Entered the url... and I was in. I mean, I was really in! I couldn't believe my eyes.
What I saw was a preview of his main site with several applications present - to edit text, add text, submit files/pictures whatever.
I still couldn't believe it, so I uploaded some stupid pictures via the applications, added some stupid text > submit > OK.
Went to the main site and it was there!!! I refreshed once again, to make sure.. I even closed and opened my browser again to doublecheck, it was still there what I submitted.
OMG! This is a REAL BAD idea!

So, I phoned the guy and asked him if he created the website and the admin application... and why he didn't password protect it. Nope, he didn't create the website - he actually paid a lot of money to create it for him instead. I explained him what a bad idea this was and asked "his" webmasters phonenumber.
So I phoned the Webmaster... creator of the site.

Me: "You think it's ok if people compromise the site(s) you created? Put malicious content on it? - so every visitor gets infected? Or if someone deleted the entire content of the site?" (and some extra rants).
He: "I have no clue what you are talking about"
Me: "Once again, you did create this website with the admin application?" (gave him the name of the site)
He: "Yes, I created that one"
Me: "Is there any reason why you didn't passwordprotect the admin directory or access to edit/update the site?"
He: "To make it easier for our clients, so they can update the site any time"

He just didn't get it...

Me: "To make it easier for your clients??? You make it easy for EVERYONE!! Everyone can access it, upload whatever they want, edit whatever they want.." (I didn't try it, but I'm sure that the editable text boxes there supported html as well)
He: "Erm, Ok, so what should I do then?"
Me: "Passwordprotect it!!!"
He: "How?"

OMG..! I was stumped.

Anyway, I explained the guy how to passwordprotect it - gave him a lot of options - hence, he didn't even know what .htaccess was.
I also told him that it is also a good idea to give the admin directory another name etc etc..
He finally understood my concerns (and not only my concerns) and said he would change/update it immediately for every website he created.

A Webmaster?? Yeah, sure.. And he's getting paid for this?? This is totally irresponsible!

Anyway, I just checked a couple of minutes ago and I'm glad to see that there's finally a login box present to enter the "admin site", where it's asking for login and password. Not sure if it works, if the loginname matches the password, but it is present at least... :)

After I experienced this - Imagine how many so called "Webmasters" are around there, making the same BIG mistakes.
/me *shivers*

Sidenote: The "not viewing images" issue is resolved now as well - Flushed IE cache and all was OK again. :)

Related Posts by Categories