Is it really secure?
I've been using Mod ReWrite on my site for a while now, but today I noticed something odd in my tracking database.
I have Mod ReWrite do the following :
Request URI -> Actual URL
widgets.com/products/600/ -> view-products.php?id=600
I track my clicks in a MySQL database... where I track the visitor's IP, referring URL, and Request URI. And today, I noticed that one user's REQUEST URI was view-products.php?id=600 ... which leads me to believe that they somehow found the Mod ReWrite condition.
Also note: There was no HTTP_REFERER, which means it was a direct page request
There was nothing in my access logs that showed any foul play
The .htaccess is secure
I host my own content, which leaves out the possibility of it being accessed by a nosy admin
The actual URL was never given to ANYONE ... ever!
Any ideas as to how this could've happened?
> There was no HTTP_REFERER, which means it was a direct page request
Not necessarily. Two inches above this line on my screen is a "Send Referer" checkbox in a toolbar for my Netscape/Mozilla browsers. If I uncheck it, you'll get a blank referrer for any page I visit on your site. Any user-agent could be modified to do this, and programs like Norton Internet Security can be configured to block referers.
To clarify, you are using a server-internal redirect, not a 301 or 302, your .htaccess file cannot be fetched with HTTP, and your raw log files, stats database and FTP server are secure? That's all I can think of...
|I track my clicks in a MySQL database... where I track the visitor's IP, referring URL, and Request URI. And today, I noticed that one user's REQUEST URI was view-products.php?id=600 ... which leads me to believe that they somehow found the Mod ReWrite condition. |
1. Maybe an old bookmark from a user? I've bookmarked sites, then not gone back for a year. If you've created your rewrite rules recently, this is most likely the answer. If not, then maybe not.
2. Sometimes, people play around to see if they can find the original script... sometimes, they're just curious. We've seen this before in logs - usually, they'll try to guess a couple of times. Do you have any other strange activity from this user?
>> old bookmark from a user
- or a link in a collection that has not been updated for a while combined with an anonymous surfer.
It could also be a long-interval-bot visiting (eg. a (manual) link checker).
It definitely was not an old bookmark, as that URL with the query string was never (and I mean NEVER) given out.
I checked the access logs for that day, and again, I didn't see any foul play. The user went directly to that page... no other clicks on my site, ever. (That IP has only showed up in my logs once)
Maybe it was them just toying with the site out of curiousity, but they must have some incredible luck to have been able to guess not only the PHP page, but the variable as well. Also, I made my whole site on my own... no premade scripts were used.
> as that URL with the query string was never (and I mean NEVER) given out.
Did you ever visit this URL yourself with the Google toolbar active?
I do all of my testing/development/etc in Links for Linux... so that rules out the Google Toolbar.
perhaps... just guessing.. do you have links on that page? Perhaps it's someone checking a referrer from a log file... although i would think they should see the other address in stead.
I have no external links on that page at all.
This IS really strange... i'm totally out of guesses, except for one: that somebody somehow have provoked that "view-products.php" script to return an error and that the error message included the url. PHP-error messages often do return internal urls and database calls as well, as far as i have seen.
But from there to somebody entering it in the address line... perhaps just curiosity... due to the blank referrer, a copy-paste off some error message sounds probable - unless of course that your script has an error handling routine that means that it will never-ever produce such an error... then we're back to square one.
I can't really convince myself that it's the .htaccess file or mod_rewrite unless all other conceivable options have been examined thoroughly, sorry about that ;)
I never thought about that, Claus! :P
I have view-products.php open a MySQL connection, and I've got no error handling on that page for failed connections. My guess is that the connection failed just that ONE time, and they toyed with it out of curiousity.
Having said that, I added error-handling for the MySQL connection. Hopefully, this won't happen again :)
Thanks for your ideas and your help, guys!