Is this a vulnerability?

Forum Moderators: phranque

Message Too Old, No Replies

Is this a vulnerability?

Canonical Issue through :80?

Bilbo

12:31 am on Dec 8, 2008 (gmt 0)

I have noticed a lott of requests on domain in logs using following

[yourdomain.com:80...]

Is this a possible way of creating a Canonical Issue?

Be glad of any advice

g1smd

12:35 am on Dec 8, 2008 (gmt 0)

Yes it is.

If any part of the URL differers by only one character, then you have a Duplicate Content issue.

It is very easy to 301 redirect such requests to the correct URL, using just two lines of code.

There's many previous posts with such an example, for "appended port numbers and/or punctuation".

jdMorgan

12:45 am on Dec 8, 2008 (gmt 0)

Beware also the FQDN format http://www.example.com./page.html, which could also be combined with the appended port number format, giving http://www.example.com.:80/page.html

All three formats are perfectly-valid, but (usually) non-canonical.

Jim

Bilbo

12:51 am on Dec 8, 2008 (gmt 0)

Thanks guys, I have a redirect already on this and just checking if its a 301 not 302. JdMorgan you describe the exact format beeing hit.

Thanks again for the response :)

jdMorgan

1:14 am on Dec 8, 2008 (gmt 0)

Here are two forms of simple domain canonicalization using mod_rewrite in .htaccess.

The first redirects anything that is not exactly the canonical domain (or blank, for HTTP/1.0 requests):


# If requested hostname is not *exactly* "www.example.com" (or blank)
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
# externally redirect to canonical "www.example.com" hostname
RewriteRule (.*) http://www.example.com/$1 [R=301,L]

The second is to be used if you have several domains or subdomains resolving to the same .htaccess file:


# If requested hostname is any variation of "example.com"
RewriteCond %{HTTP_HOST} example\.com [NC]
# but is not *exactly* "www.example.com"
RewriteCond %{HTTP_HOST} !^www\.example\.com$
# externally redirect to canonical "www.example.com" hostname
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
#
# If requested hostname is any variation of "ex-maple.com"
RewriteCond %{HTTP_HOST} ex-maple\.com [NC]
# but is not *exactly* "ex-maple.com"
RewriteCond %{HTTP_HOST} !^ex-maple\.com$
# externally redirect to canonical "ex-maple.com" hostname
RewriteRule (.*) http://ex-maple.com/$1 [R=301,L]

Note that the "any variation" pattern is un-anchored, and will accept any uppercase/lowercase variations, while the "exactly" pattern is fully-anchored, and requires all-lowercase, and no trailing period or port numbers.

Jim

Bilbo

1:21 am on Dec 8, 2008 (gmt 0)

Ok I am getting a redirect onbrowser but no 301 or 302 in headers even using live headers in firefox, also I am getting a response from server showing host as "Host: www.yourdomain.com:80".

is there a way of rewriting a :80 "request" to "" in Apache?

Bilbo

1:25 am on Dec 8, 2008 (gmt 0)

Sorry JD ignore my last comment just seen your script ;)

Bilbo

1:49 am on Dec 8, 2008 (gmt 0)

JD your script worked beutifully now returning a solid 301 in headers.

Thankyou so much I owe you one.

Bilbo :)