Passion * Technology * Ruthless Competence

Tuesday, April 29, 2003

« MSDN Patterns Repository | Home | Back from the Basement »

Bogus Referral Log

I'm on vacation, but still checking my email. Many thanks to Mickey Williams who pointed out to me that my referral log had been hacked. I'm not sure hacked was quite the right word for it - I was breaking the first rule of Secure Code - Trust User Input at Your Own Peril. The referral HTTP header is a form of user input, and I was happily echoing it back out to the site without any sort of check whatsoever. I guess I should consider myself lucky that I ended up with a page full of porn links rather than something more serious. Obviously, I've taken the page down. When I get back from vacation, I'll check the server log to see when this started happening. Anyone else blindly storing and echoing referrals should keep an eye on their log.

I asked a while ago about canonical weblog names. At the time, I wanted unify the entries in my referral log that pointed back to the same weblog. Now, I want to also eliminate bogus entries as well. Is pingback/trackback the answer?

Posted By at 3:20 PM Pacific Daylight Time
Comments [0]
Comments are closed.
Change Congress
Recent Bookmarks
Tags .NET Framework (2) ADO.NET (5) Agile (7) AJAX (3) Architecture (284) Guidance (6) Interop (2) Modelling (61) Patterns (7) Process (4) SOA (93) Web Services (5) ASP.NET (24) Azure (1) Battlestar Galactica (3) BI (2) BizTalk (4) Blogging (115) dasBlog (11) Podcasting (4) BPM (1) C# (10) C++ (4) Capitals (5) CardSpace (3) CLR (2) College Football (10) Comedy Central (1) Community (81) Concurrency (6) Consumer Electronics (1) Database (13) Dependency Injection (2) Development (117) C Plus Plus (1) Embedded (5) Lanugages (38) Media (2) P2P (11) Rotor (1) SharePoint (6) SOP (3) DIY (1) DLR (18) Domain Specific Languages (14) Durable Messaging (5) Dynamic Languages (10) Dynamic Silverlight (1) Education (3) Enterprise 2.0 (1) Entertainment (14) ETech (15) F# (51) Functional Programming (17) Game Development (2) Guidance Automation (3) Hardware (8) HawkEye (3) Hockey (29) Home Electronics (1) Home Network (5) Humor (5) IASA (1) Idempotence (3) infrastructure (5) Instrumentation (4) Integration (2) IronPython (52) IronRuby (12) Java (2) Job (3) LangNET (1) LINQ (23) Live Framework (3) Live Mesh (2) Lost (1) Master Data Management (1) Media 2.0 (6) Microsoft (30) MIX06 (2) Mobile Phone (1) Monads (5) Morning Coffee (172) Object Oriented (4) Office (5) Open Source (5) Open Space (2) Operations (3) Other (135) Art (1) Books (1) Family (31) Games (18) General Geekery (26) Home Theater (1) Movies (23) Music (20) Politics (3) Society (1) Sports (37) Working at MSFT (15) Parallel Programming (3) Parsing Expression Grammar (16) patterns & practices (2) PDC08 (5) Politics (47) PowerPoint (2) PowerShell (35) Presentation (5) Projects (1) HawkWiki (1) Python (4) Quote of the Day (4) Refactoring (1) Research (2) REST (18) Reuse (5) Robotics (2) Rock Band (4) Rome (5) Ruby (23) Ruby on Rails (1) Sci-Fi (2) Scripting (4) Security (3) Service Broker (14) SharePoint (2) Silverlight (18) Social Software (1) Software + Services (2) Software Design (1) Software Factories (11) Software Industry (1) Spark (1) SQL Server (2) Stephen Colbert (1) TechEd (7) TechEd06 (1) TechRec League (1) Television (6) Travel (6) Unified Client (1) Unit Testing (4) USC (1) UX (1) Virtual PC (2) Visual Basic (1) Visual Studio (20) Volta (2) Washington Capitals (34) WCF (31) Web 2.0 (65) Web Services (5) WF (21) Windows Live (26) WPF (7) Xbox (1) Xbox 360 (53) XML (11) XNA (14) Zune (4)
Disclaimer: The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion. Inappropriate comments will be deleted at the authors discretion.