URL fun

This morning we had another case of one of our clients ‘losing’ data. I say ‘losing’, in quotes, because data just doesn’t get lost when all other data is intact, it’s usually a coding issue or someone’s ‘hacked’ in. And by hacked, it could be something as simple as, “oh, look, the url has id numbers in it, I wonder what happens if I change that number by 1,” which isn’t really hacking at all, just taking advantage of us programmers who forget to secure url variables. I suppose either way it is a coding issue…..

In any case, we have a site that we inherited. This site has been having data loss issues on occasion from within its members’ area, which is never good. So what do we do about it? Well, in this instance, since we didn’t write the code, we are going to have to figure out some sort of logging instrument. I took a look at our friend Smarter Stats to see what url strings are being passed through to one of the administration pages. Some of them are quite funny, they look something like this:

limit=1275&orderby=http%3A%2F%2Fwww.blankner.ocps.net%2Fmedia%2Fimages%2Fefepi%2Fasopuy%2F&page=view_referral_members
limit=0&orderby=http%3A%2F%2Fwww.antwerpsupporter.be%2Fsubscribe_2_me_to-delete%2Fsm%2Fexported_files1%2Fmosupoz%2Fadusa%2Fojafujo%2Faweji%2F&page=view_referral_members

So those seem to be harmless enough. Not sure what is trying to be accomplished by it, but yet just the fact that they’re trying to mess around is annoying. But then after getting through more of the hundreds of query strings for the last few days, I noticed a few that look like this:
member_id=’.6728.’&notice=deletemember&page=view_members
S
hady. So this may be a potential culprit; we won’t know though until we scour through the code to find out.

Now it’s our job to figure out if this is a malicious piece of code, and figure out what part of a program we didn’t write is messing with our client. Hopefully we’ll all learn something from it.

All this is basically to say, programmers, pay attention to your url variables. Make sure you’re not opening yourself up to injection attacks and hacks.