httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederic Fery <Fred.F...@uts.edu.au>
Subject Re: [users@httpd] block url - rewrite or proxy?
Date Fri, 13 Dec 2002 21:49:27 GMT
Jacob Coby wrote:

>>I have some security concerns about sharing filemaker databases with
>>webcompanion. The issue is with the XML dso_xml tag (and -raw)
>>
>>Anyone can type in their web browser address bar, something like:
>>
>>http://yourhost:591/FMPro?-db=database.fp5&-format=-dso_xml&-findall
>>
>>this will reveal all the fields from your database in their browser, not
>>really good when you have confidential information...
> 
> 
> No, that's a Pretty Bad Thing.
> 
> 
>>WHAT I WOULD LIKE:
>>when people are typing &-format=-dso_xml&-findall they would get go
>>nowhere (403.html)
>>
>>What is the best way to do it: proxy, apache rewrite?
>>And how do you implement it?
> 
> 
> AFAIK, rewrite cannot operate on parameters (everything after the ?), I
> don't know about proxy.
> 
> What you may end up doing is throwing the FMPro app inside a sandbox,
> written in a script language (php, perl, python, whatever), that can do some
> inspection of the parameters, and only allow the call to execute iff they
> all pass.  Otherwise, log an error and show a blank page.  Maybe even
> blacklist the offensive ip for 5/10/30 min.
> 
> Have you checked the FMPro docs to see if there is a way to prevent
> &-format=-dso_xml&-findall from working?

there is nothing about this in the filemaker pro doc. I have meet last 
week a filemaker pro sys engineer, they reckon it's not s security hole 
but a filemaker pro feature. "It's up to web admin people to secure 
their app."

Anyway, I am stuck with this filemaker pro app (my pref is php)

I have found this rewrite rule: (in the .htaccess)
RewriteEngine On
# These rules will deny:
#localhost:591/FMPro?-db=Sonnets.fp5&-format=-dso_xml&-findall
RewriteCond %{SERVER_PORT} 591 [NC]
RewriteCond %{REQUEST_URI} /FMPro [NC]
RewriteCond %{QUERY_STRING} -db=Sonnets\.fp5 [NC]
RewriteCond %{QUERY_STRING} -format=-dso_xml [NC]
RewriteRule . - [F]

but doesn't quite work

> 
> -Jacob
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


-- 
Frederic Fery
Faculty Web Master

http://www.dab.uts.edu.au
http://www.nmh.uts.edu.au
http://www.hss.uts.edu.au
http://www.utsgallery.uts.edu.au
http://www.techtrain.uts.edu.au

University of Technology, Sydney.
Ph: 02 9514 89 37



UTS CRICOS Provider Code:  00099F

DISCLAIMER
========================================================================
This email message and any accompanying attachments may contain
confidential information.  If you are not the intended recipient, do not
read, use, disseminate, distribute or copy this message or attachments.
If you have received this message in error, please notify the sender
immediately and delete this message. Any views expressed in this message
are those of the individual sender, except where the sender expressly,
and with authority, states them to be the views the University of
Technology Sydney. Before opening any attachments, please check them for
viruses and defects.
========================================================================



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message