[PLUG] Unlinked web pages with obscure names - mildly secure?

Jason Martin nsxfreddy at gmail.com
Thu Nov 15 21:22:25 UTC 2007


On Nov 14, 2007 7:58 AM, Keith Lofstrom <keithl at kl-ic.com> wrote:
>
> Apache/Web question:
>
> I have a few https web pages on my site with URLs like cj33wq.html .
> These drive CGI scripts that do stuff for clients, send me messages,
> etc.  They are not linked to (unless my clients do so - bad client!).
> Nothing falls apart if the bad guys find them and start frobbing on
> them;  it is just mildly inconvenient.  While most are password
> protected, some are not (like the page where they prove who they are
> then tell me what they want for a password).
>
> If I understand Apache and web service, there is no way that the bad
> guys can find these pages without an exhaustive search (which would
> be obvious from the logs) or by listening in on my client's traffic.
>
> Am I mistaken?  Are there simple ways to ask Apache for an index of
> all the public but unlinked pages on a website?

Do you have any external links on any of those pages?  Your client's
web browser will happily send the Referer: header to the web server of
any external links.  Additionally, you are relying on your client's
browser being implemented properly to NOT send Referer: if they type
an address in manually or click a bookmark.

Jason



More information about the PLUG mailing list