httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Pierce" <paged...@speakeasy.net>
Subject Re: [users@httpd] Display Domain Only?
Date Tue, 26 Nov 2002 19:48:41 GMT


Very well said.  It is kind of like the old lock your door (car, home, truck, etc) it will
keep out the honest theif, but if someone really wants to get into your car, home,etc
they will.  


*********** REPLY SEPARATOR  ***********

On 11/26/2002 at 11:42 AM Sebastien Bellerive wrote:

>What I'm saying is that anyone who happens to really feel a need to modify
>URL's manually like he's suggesting (crackers anyone?) can get by any of
>these little tricks, so beside 'prettying' up the url, it's farely
>pointless
>as a security mesure.
>
>i.e: DONT depend on the url being hidden to protect your site and/or data.
>Dont depend on POST vs GET to protect your site.
>
>Joe average web server has no clue of how to do it, sure, but joe average
>isn't going to be trying to break into your servers/sites.
>
>Seb.
>
>----- Original Message -----
>From: "Chris Meadors" <clubneon@hereintown.net>
>To: <users@httpd.apache.org>
>Sent: Tuesday, November 26, 2002 11:09 AM
>Subject: Re: [users@httpd] Display Domain Only?
>
>
>> Sebastien Bellerive wrote:
>> > Right.. with PHP (and others for sure) you can just as easily
>'manually'
>do
>> > POSTs as one does GET's.. so it's really irrelevent if the url is shown
>or
>> > not, the info is still there for anyone to use/modify
>>
>> Not in a properly written CGI app.  You can just refuse GETs.  Of course
>> I can whip up a new form (or use Mozilla's debugging features) to POST
>> what ever I want.
>>
>> Also as a note, when I go to a site that tries to hide the URL in a
>> frame, the first thing I do is tell it to show the inside frame only.
>>
>> --
>> Chris
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message