httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Schoenborn <>
Subject RE: [users@httpd] :Mod rewrite
Date Mon, 11 Jan 2010 14:58:46 GMT
> From: Marcin 'Rambo' Roguski []
> > Marcin, I'm also curious about your statement about security hole when
> > spoofing a domain name via mod-rewrite. Isn't mod-rewrite *all* about
> > spoofing URL's (which can include domain name part)?
> As you mentioned, remapping is not the same as spoofing. Imagine someone's
> ability to send you back URI as the current domain
> when you're actually at (obviously, that's simply
> impossible, but if you look at the senders question, it's kinda that
> what he's trying to achieve - of course, in this case, with innocent
> subdomain spoofing)

Spoofing is when you are intentionally lying to the user about which domain server they are
accessing: they think they are at a server in, but they are in fact at xx.xx.xx.xx
computer that is phishing for the user's data. Subdomains are handled by the DNS server for
the domain. Therefore to spoof a subdomain you first have to spoof the domain to change which
DNS server gets used. But the OP was not spoofing a domain, just changing the subdomain displayed,
something done zillions of times by mod rewrite users for maintenance, testing etc. 

Also, mod_rewrite provides the P (reverse proxy) and R (redirect) rule qualifiers for a reason:
for proxying and redirecting. Redirecting can be used to redirect to an entirely different
site. If my company has been purchased and I want to redirect *all* requests for
( to then I could use mod-rewrite to redirect to
This would not be spoofing, but a legitimate redirection. OTOH if I proxied all requests to to (the user wouldn't know since using ProxyPass etc), I would
still not be spoofing, just keeping Foo's identity intact so my clients are put off by a (friendly)


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message