httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <jc...@listingbook.com>
Subject Re: [users@httpd] block url - rewrite or proxy?
Date Fri, 13 Dec 2002 20:54:39 GMT
> I am new to apache, so sorry if it's a dumb question

Don't be such a pessimist.

> I have some security concerns about sharing filemaker databases with
> webcompanion. The issue is with the XML dso_xml tag (and -raw)
>
> Anyone can type in their web browser address bar, something like:
>
> http://yourhost:591/FMPro?-db=database.fp5&-format=-dso_xml&-findall
>
> this will reveal all the fields from your database in their browser, not
> really good when you have confidential information...

No, that's a Pretty Bad Thing.

> WHAT I WOULD LIKE:
> when people are typing &-format=-dso_xml&-findall they would get go
> nowhere (403.html)
>
> What is the best way to do it: proxy, apache rewrite?
> And how do you implement it?

AFAIK, rewrite cannot operate on parameters (everything after the ?), I
don't know about proxy.

What you may end up doing is throwing the FMPro app inside a sandbox,
written in a script language (php, perl, python, whatever), that can do some
inspection of the parameters, and only allow the call to execute iff they
all pass.  Otherwise, log an error and show a blank page.  Maybe even
blacklist the offensive ip for 5/10/30 min.

Have you checked the FMPro docs to see if there is a way to prevent
&-format=-dso_xml&-findall from working?

-Jacob


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message