Incompetent Boobs Part 3

I’m beginning to feel like I can write this story on autopilot:

Our companies web site uses a content managment system whose interface is all browser based. Turning the GSA loose on our web site using an administrative account ended up wiping out 85% of our web site’s content thru the execution of delete actions from web page links in the administrative interface of the content managment system.

The CMS system we use is built in coldfusion (which we’re rapidly moving away from to .NET sometime next year.). These coldfusion pages have buttons / images all hyperlinked to perfrom different actions for content records, content folders, and unfortunately whole web site instances. One of these hyperlinked image buttons deletes the content when clicked, which the crawler furiously did last night.

And just in case anybody didn’t get the point the first two times I ran this story:

The problem, yet again, was that the Content Management System was designed by INCOMPETENT BOOBS, who didn’t know the difference between HTTP GET and HTTP DELETE. They had no business building a CMS for their church choir, much less a real business. And one more time, can someone explain to me why in 2008 anyone is still building their own CMS from scratch instead of customizing one of the many off-the-shelf open source solutions?

One more time: any operation that deletes a web page should be done with HTTP DELETE; or, if you must, with HTTP POST. However you should, never, never, never, never design a link to delete a page with HTTP GET. Do not think your Intranet pages are safe. They aren’t. Do not think robots.txt will protect you. It won’t. Do not think usernames and passwords will protect you. They won’t. Do not think nonces or referrer checks or JavaScript or proxy busting query strings will protect you. They won’t.

The only reliable way to implement delete is by using HTTP as it was intended to be used. GET for safe operations, and PUT, DELETE, and POST for unsafe ones.

3 Responses to “Incompetent Boobs Part 3”

  1. yachris Says:

    Do any browsers now support PUT and DELETE? Last I heard they didn’t (so POST is the way to go, I agree).

  2. Porter Says:

    Out of curiosity when was the DELETE action added, and made easily callable within a standard web browser? When was the CMS application developed? Most web browsers still don’t have support for the DELETE action w/o using JavaScript – and some don’t even have that. While I agree that you’re right – the appropriate action should be used that accurately matches what is being attempted; perhaps the ire you feel might be more rightly directed at the browser makers who never really bothered to build browsers supporting anything beyond GET and POST thusly hamstringing most web site and web application builders.

  3. Kevin Says:

    The point is not so much “use DELETE” as it is “don’t use GET for destructive actions”. Using POST is good enough, and would have avoided the problem. (Using a JavaScript “onclick” action would work too, webcrawlers don’t normally implement JavaScript; though users with JS disabled would be out of luck.) The people behind Joomla, Drupal, Zope, Type3, WordPress, and Movable Type seem to be able to follow this rule; so whoever built this CMS can’t reasonably hide behind a ‘the browser made me do it’ defense.

Leave a Reply