My goal was to change an existing data of the site to add the mention "hacked". The site was a typical interface to a database, with the notions of "new item", "update item" and "view item" clearly visible.
- From that, I deduced it worked with a database.
- From that, I made the assumption that there would be a database table with the field id equal to 20 for the element I wanted to mark as "hacked".
- From the fact that this library was free software, and that the files were named .php, I made the assumption that the database would be a MySQL one, as is most often the case.
- From this I learnt the names of the table and some of its fields inside the database.
- From this, I validated that id was actually a field inside the same table, which I only assumed earlier.
- From there, I guessed it would be piece of cake :-)
So, from all that, I conclude that it's important to hide programmer's data from the eye of the user. Especially, GET parameters should not be used unthoughtfully and the error messages from server or middleware should not be displayed to the user. A good polite "We encountered an internal error." is fair enough.
So, next time the webservers' admin or the web dev tells you such small details are not important, just kick him in the balls. I take complaints at cpradier _at_ gmail.com