Hijack problem with sitemaps?

8 comments

A thread at WMW flags a potential hijack problem with Google sitemaps. Someone more competant than I on the technicalities involved may like to comment.

Quote:
Without giving specifics, there is a major problem with the site map system which allows anyone who can create a file to 'claim' ownership of a site, or a domain within a site.

If you own or run any WIKI, any system which allows user uploadable files (with specified file name), or any system which allows users to create pages with names based upon the title ('seo friendly' pages) then I urge you to take steps to ensure that URLs of the form:

GOOGLEb74h6s3m49v87f.html

cannot be created.

Comments

shame on you

hahaha next people will be hacking into servers .. i wonder what data you can get for the firefox website .... DaveN all angelfaced goes back to programming :)

DaveN

Don't hit the panic button

The same goes for robots.txt. An application must enable uploads to the root level to put the site owner at risk of others watching his 404 errors served to Googlebot. Submitting and processing of sitemaps works w/o verification. Even deactivated sitemaps are easy to spot via server logs, and then an email to Google should solve the issue, and reveal the offender.

but who's fault is it

i found a better exploit :)

DaveN

Indeed

Just viewed the AOL stats and others.

yep

Yep someone posted it in the Wmw thread.

Dave that was sweet! Part of

Dave that was sweet! Part of the blame does lie with the webmaster but Google you are partly to blame here, and please don't trot out that lame excuse you used when web accelerator started pulling files it wasn't supposed to.

Weird glitch

They used to check for a probe file which should not exist. If this double-check would still be in place, the verification procedure would be fine.

Update: It's fixed

as usual ...

Google is depending on outsiders to vet the security of their systems. Problems might have been discovered if they weren't distracted by their lava lamps and 20 percent time on private projects. Security glitches have happened on every single inititative emanating from Google.

And the stock cracked the $400/share mark.

Irrational exuberance accompanied by irrational hubris?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.