Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
Google Webmaster Help
Home
Crawling, indexing, and ranking
Google webmaster tools
Sitemap Protocol
Suggestions & feature requests -- webmaster-related only, please
Random chit-chat
Google sitemaps (Archives - *read only*)
About this group
Join this group
Discussions > Google webmaster tools > Major security issues for wikis
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
philipn  
View profile  
 More options Nov 3 2007, 5:25 pm
From: philipn
Date: Sat, 03 Nov 2007 21:25:05 -0000
Local: Sat, Nov 3 2007 5:25 pm
Subject: Major security issues for wikis
Print | Individual message | Report this message | Find messages by this author
The current verification method poses a major security issue for a
good deal of wikis.    Currently, all that is needed to verify
yourself as the owner of a site is the creation of a single page named
something like googlebacb14320d6b1bdb.html at the root level of a
site.  Most wikis, however, allow anyone to create such pages.

There is a small amount of checking that the webmaster tools do --
they check to see if a small sampling of random garbage pagenames
return 404 or 200.  However, many wikis return 404 for non-existent
pages, so this remains a serious and definite issue.

I suggest that the instructions include content for the HTML file to
contain and check that the exact same content exists at the provided
location.

--Philip Neustrom
http://wikispot.org


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
webado  
View profile  
 More options Nov 3 2007, 6:17 pm
From: webado
Date: Sat, 03 Nov 2007 15:17:53 -0700
Local: Sat, Nov 3 2007 6:17 pm
Subject: Re: Major security issues for wikis
Print | Individual message | Report this message | Find messages by this author
Well again this is yet another  problem with wikis which allow non
authenticated user input.
The security flaw is at the wiki level, not Google's level.
If anybody can add pages unhampered to a site they ARE owners of that
site, as simple as that.
Imagine that they can also upload or create a robots.txt file with a
single directive to disalow all robots. You are in deep doodoo.

Wikis seem to be a curse for spiders in more ways than one. Wiki
navigation from what I have seen is a mess. You need to work so very
hard to build a comprehensive robots.txt file

On Nov 3, 5:25 pm, philipn wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
philipn  
View profile  
 More options Nov 3 2007, 10:29 pm
From: philipn
Date: Sun, 04 Nov 2007 02:29:25 -0000
Local: Sat, Nov 3 2007 10:29 pm
Subject: Re: Major security issues for wikis
Print | Individual message | Report this message | Find messages by this author
Users can create pages, but they can't create pages containing
arbitrary content.   You can create a page saying "Hello, world!" but
it will render within the confines of an existing HTML layout.  This
is why my suggested solution would involve google requesting you
create the google3493284alolwtf.html file with a random string and
only a random string in it.

Everybody knows about robots.txt, and so it's easy for system
administrators to alias whatever/robots.txt to the filesystem.
Additionally, again it would be impossible with most known wiki
systems to create a well-formed robots.txt file by a malicious user.

--Philip Neustrom
http://wikispot.org

On Nov 3, 3:17 pm, webado wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google