[PLUG] Unlinked web pages with obscure names - mildly secure?
Jason Martin
nsxfreddy at gmail.com
Thu Nov 15 21:22:25 UTC 2007
On Nov 14, 2007 7:58 AM, Keith Lofstrom <keithl at kl-ic.com> wrote:
>
> Apache/Web question:
>
> I have a few https web pages on my site with URLs like cj33wq.html .
> These drive CGI scripts that do stuff for clients, send me messages,
> etc. They are not linked to (unless my clients do so - bad client!).
> Nothing falls apart if the bad guys find them and start frobbing on
> them; it is just mildly inconvenient. While most are password
> protected, some are not (like the page where they prove who they are
> then tell me what they want for a password).
>
> If I understand Apache and web service, there is no way that the bad
> guys can find these pages without an exhaustive search (which would
> be obvious from the logs) or by listening in on my client's traffic.
>
> Am I mistaken? Are there simple ways to ask Apache for an index of
> all the public but unlinked pages on a website?
Do you have any external links on any of those pages? Your client's
web browser will happily send the Referer: header to the web server of
any external links. Additionally, you are relying on your client's
browser being implemented properly to NOT send Referer: if they type
an address in manually or click a bookmark.
Jason
More information about the PLUG
mailing list