homepage Welcome to WebmasterWorld Guest from 23.23.22.200
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Mod ReWrite
Is it really secure?
panic




msg:1522928
 12:54 am on Aug 14, 2003 (gmt 0)

I've been using Mod ReWrite on my site for a while now, but today I noticed something odd in my tracking database.

I have Mod ReWrite do the following :

Request URI -> Actual URL
widgets.com/products/600/ -> view-products.php?id=600

I track my clicks in a MySQL database... where I track the visitor's IP, referring URL, and Request URI. And today, I noticed that one user's REQUEST URI was view-products.php?id=600 ... which leads me to believe that they somehow found the Mod ReWrite condition.

Also note:

  • There was no HTTP_REFERER, which means it was a direct page request
  • There was nothing in my access logs that showed any foul play
  • The .htaccess is secure
  • I host my own content, which leaves out the possibility of it being accessed by a nosy admin
  • The actual URL was never given to ANYONE ... ever!

    Any ideas as to how this could've happened?

    -panic

  •  

    jdMorgan




    msg:1522929
     2:04 am on Aug 14, 2003 (gmt 0)

    panic,

    > There was no HTTP_REFERER, which means it was a direct page request

    Not necessarily. Two inches above this line on my screen is a "Send Referer" checkbox in a toolbar for my Netscape/Mozilla browsers. If I uncheck it, you'll get a blank referrer for any page I visit on your site. Any user-agent could be modified to do this, and programs like Norton Internet Security can be configured to block referers.

    To clarify, you are using a server-internal redirect, not a 301 or 302, your .htaccess file cannot be fetched with HTTP, and your raw log files, stats database and FTP server are secure? That's all I can think of...

    Jim

    bakedjake




    msg:1522930
     2:23 pm on Aug 14, 2003 (gmt 0)

    I track my clicks in a MySQL database... where I track the visitor's IP, referring URL, and Request URI. And today, I noticed that one user's REQUEST URI was view-products.php?id=600 ... which leads me to believe that they somehow found the Mod ReWrite condition.

    Two things:

    1. Maybe an old bookmark from a user? I've bookmarked sites, then not gone back for a year. If you've created your rewrite rules recently, this is most likely the answer. If not, then maybe not.

    2. Sometimes, people play around to see if they can find the original script... sometimes, they're just curious. We've seen this before in logs - usually, they'll try to guess a couple of times. Do you have any other strange activity from this user?

    claus




    msg:1522931
     2:31 pm on Aug 14, 2003 (gmt 0)

    >> old bookmark from a user

    - or a link in a collection that has not been updated for a while combined with an anonymous surfer.

    It could also be a long-interval-bot visiting (eg. a (manual) link checker).

    /claus

    panic




    msg:1522932
     6:10 pm on Aug 14, 2003 (gmt 0)

    It definitely was not an old bookmark, as that URL with the query string was never (and I mean NEVER) given out.

    I checked the access logs for that day, and again, I didn't see any foul play. The user went directly to that page... no other clicks on my site, ever. (That IP has only showed up in my logs once)

    Maybe it was them just toying with the site out of curiousity, but they must have some incredible luck to have been able to guess not only the PHP page, but the variable as well. Also, I made my whole site on my own... no premade scripts were used.

    -panic

    msr986




    msg:1522933
     6:45 pm on Aug 14, 2003 (gmt 0)

    > as that URL with the query string was never (and I mean NEVER) given out.

    Did you ever visit this URL yourself with the Google toolbar active?

    panic




    msg:1522934
     6:48 pm on Aug 14, 2003 (gmt 0)

    I do all of my testing/development/etc in Links for Linux... so that rules out the Google Toolbar.

    claus




    msg:1522935
     10:03 pm on Aug 14, 2003 (gmt 0)

    perhaps... just guessing.. do you have links on that page? Perhaps it's someone checking a referrer from a log file... although i would think they should see the other address in stead.

    panic




    msg:1522936
     11:26 pm on Aug 14, 2003 (gmt 0)

    I have no external links on that page at all.

    -panic

    claus




    msg:1522937
     9:57 am on Aug 15, 2003 (gmt 0)

    This IS really strange... i'm totally out of guesses, except for one: that somebody somehow have provoked that "view-products.php" script to return an error and that the error message included the url. PHP-error messages often do return internal urls and database calls as well, as far as i have seen.

    But from there to somebody entering it in the address line... perhaps just curiosity... due to the blank referrer, a copy-paste off some error message sounds probable - unless of course that your script has an error handling routine that means that it will never-ever produce such an error... then we're back to square one.

    I can't really convince myself that it's the .htaccess file or mod_rewrite unless all other conceivable options have been examined thoroughly, sorry about that ;)

    panic




    msg:1522938
     4:56 pm on Aug 15, 2003 (gmt 0)

    I never thought about that, Claus! :P

    I have view-products.php open a MySQL connection, and I've got no error handling on that page for failed connections. My guess is that the connection failed just that ONE time, and they toyed with it out of curiousity.

    Having said that, I added error-handling for the MySQL connection. Hopefully, this won't happen again :)

    Thanks for your ideas and your help, guys!

    -panic

    Global Options:
     top home search open messages active posts  
     

    Home / Forums Index / Code, Content, and Presentation / Apache Web Server
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved