Article 14349 at 08/11/19 06:54:39 From: kenmarcusprecisionweb (at mark) yahoo.com Subject: [coba-e:14349] Re: robots.txt for admserv

Index: [Article Count Order] [Thread]
Date:  Tue, 18 Nov 2008 13:54:36 -0800 (PST)
From:  Ken Marcus <kenmarcusprecisionweb (at mark) yahoo.com>
Subject:  [coba-e:14349] Re: robots.txt for admserv
To:  coba-e (at mark) bluequartz.org
Message-Id:  <84613.32662.qm (at mark) web37906.mail.mud.yahoo.com>
X-Mail-Count: 14349

----- Original Message ----- From: "Filipe Melo" <filipefmelo (at mark) gmail.com>> No complaints from me. Smart move ;)>> On Tue, Nov 18, 2008 at 5:48 PM, Dogsbody <dan (at mark) dogsbody.org> wrote:>>>> It's only a small thing but if a vulnerability was ever found for BQ the=n >> it>> could be a big thing.>>>> It seems that the admin interface is open to search engines indexing it,>> while it obviously only indexes the login page it does make rather a nic=e>> list of BQ machines!...>> http://www.google.co.uk/search?q=Login+-+BlueQuartz+5100R+Series&filte=r=0>>>> This could be fixed with a simple robots.txt file...>>>> # cat /usr/sausalito/ui/web/robots.txt>> User-agent: *>> Disallow: />>>>>> If no one disagrees could this be added to standard BQ please?>>>> Thank you>>>> DanThe robots.txt is a good idea.When scanalert.com scans my servers they� complain about cross site scripting if I recall.They are able to cause an iframe to be displayed within the login page by= injecting a value for the $target� variable. Only for that user (not persistent). I don't actually think it is a vulnerability; but to stop the= injection I edit the/usr/sausalito/ui/web/login.phpand� change� the beginning of the file from:<?php// Author: Mike Waychison, Kevin K.M.// Copyright 2000, 2001 Sun Microsystems, Inc.� All rights reserved.// $Id: login.php,v 1.3 2001/10/29 09:03:18 pbose ExpTO:<?php// Author: Mike Waychison, Kevin K.M.// Copyright 2000, 2001 Sun Microsystems, Inc.� All rights reserved.// $Id: login.php,v 1.3 2001/10/29 09:03:18 pbose Expif (eregi('iframe', $target)) {exit;}if (eregi('alert', $target)) {exit;}Then for good measure, I also add� the line below.$target = "/redirector.php";Possibly the $target value needs to be different on new systems, but not on= servers that are already set up.----Ken MarcusEcommerce Web Hosting byPrecision Web Hosting, Inc.http://www.precisionweb.net


	14349_2.html (attatchment)(tag is disabled)