The spider was given an admin login so it could access all content. Reasonable decision if the pages had been designed well.
Even with a confirmation, never delete with a GET. Use POST. If the spider ever discovers the URL that the confirmation uses, it will still delete the content. Luckily, they had a backup. wunder On 6/18/08 1:55 PM, "JLIST" <[EMAIL PROTECTED]> wrote: > > Sounds like web designer's fault. No permission check and no > confirmation for deletion? > >> Never, never delete with a GET. The Ultraseek spider deleted 20K >> docments on an intranet once because they gave it admin perms and >> it followed the "delete this page" link on every page. > >
