httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebastien Bellerive" <seb....@sympatico.ca>
Subject Re: [users@httpd] Display Domain Only?
Date Tue, 26 Nov 2002 18:54:30 GMT
Right.. with PHP (and others for sure) you can just as easily 'manually' do
POSTs as one does GET's.. so it's really irrelevent if the url is shown or
not, the info is still there for anyone to use/modify

----- Original Message -----
From: "Joshua Slive" <joshua@slive.ca>
To: <users@httpd.apache.org>
Sent: Tuesday, November 26, 2002 10:39 AM
Subject: RE: [users@httpd] Display Domain Only?


>
> On Tue, 26 Nov 2002, Razvan Costea-B. wrote:
> > >And even if you where, what you are talking about is
> > >security-through-obscurity, and not very good obscurity at that.  If
your
> > >browser can find it, then an attacker can find it just as easily.
> >
> >
> > However, I am a total rookie in this domain, but I've always thought
that
> > you can write a page and have a script or something that would run on
the
> > server alone, which will act on the links clicked by the user...
> >
> > Can't you do such a thing? (as I follow your posts I am beginning to
feel
> > insecure about this).
>
> Sure, you can do this.  But the crucial point is, there is nothing magical
> about netscape or msie.  If you browser can trigger something to happen on
> the server, then an attacker can easily replicate that process.
>
> We are talking in way too abstract terms here, so it is difficult to
> figure out exactly what kind of an example you are referring to.  But I
> can pretty much guarantee that, whatever it is, you aren't going to make
> it any safer by hiding the URL.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message