httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Schoenborn <scho...@cae.com>
Subject RE: [users@httpd] :Mod rewrite
Date Mon, 11 Jan 2010 14:58:46 GMT
> From: Marcin 'Rambo' Roguski [mailto:rambo@id.uw.edu.pl]
> 
> > Marcin, I'm also curious about your statement about security hole when
> > spoofing a domain name via mod-rewrite. Isn't mod-rewrite *all* about
> > spoofing URL's (which can include domain name part)?
> 
> As you mentioned, remapping is not the same as spoofing. Imagine someone's
> ability to send you back URI www.yourbankname.com as the current domain
> when you're actually at nastysite.thief.com (obviously, that's simply
> impossible, but if you look at the senders question, it's kinda that
> what he's trying to achieve - of course, in this case, with innocent
> subdomain spoofing)

Spoofing is when you are intentionally lying to the user about which domain server they are
accessing: they think they are at a server in foo.com, but they are in fact at xx.xx.xx.xx
computer that is phishing for the user's data. Subdomains are handled by the DNS server for
the domain. Therefore to spoof a subdomain you first have to spoof the domain to change which
DNS server gets used. But the OP was not spoofing a domain, just changing the subdomain displayed,
something done zillions of times by mod rewrite users for maintenance, testing etc. 

Also, mod_rewrite provides the P (reverse proxy) and R (redirect) rule qualifiers for a reason:
for proxying and redirecting. Redirecting can be used to redirect to an entirely different
site. If my company has been purchased and I want to redirect *all* requests for www.foo.com
(www.foo.com/whatever...) to mothership.com then I could use mod-rewrite to redirect to www.mothership.com.
This would not be spoofing, but a legitimate redirection. OTOH if I proxied all requests to
www.foo.com to www.mothership.com (the user wouldn't know since using ProxyPass etc), I would
still not be spoofing, just keeping Foo's identity intact so my clients are put off by a (friendly)
takeover. 

Oliver



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message