[PLUG] Unlinked web pages with obscure names - mildly secure?
Ronald Chmara
ron at Opus1.COM
Sat Nov 17 08:30:44 UTC 2007
On Nov 14, 2007, at 7:58 AM, Keith Lofstrom wrote:
>
> Apache/Web question:
> I have a few https web pages on my site with URLs like cj33wq.html .
> These drive CGI scripts that do stuff for clients, send me messages,
> etc. They are not linked to (unless my clients do so - bad client!).
Thought about del.icio.us? Sometimes well intentioned people link/
bookmark "hidden" access points in public ways...
> Nothing falls apart if the bad guys find them and start frobbing on
> them; it is just mildly inconvenient. While most are password
> protected, some are not (like the page where they prove who they are
> then tell me what they want for a password).
> If I understand Apache and web service, there is no way that the bad
> guys can find these pages without an exhaustive search (which would
> be obvious from the logs) or by listening in on my client's traffic.
Brute force web hacks exist, FWIW.
Somebody already mentioned Apache's index generation....
So, another frequent vector to consider: mod_speling is not always
your friend. A reasonable apache setup designed to correct for
CJ33WQ.htm will *happily* find cj33wq.html.
Oh, and it never hurts to deny unfriendlies/bots, unless, of course,
your denial gives more exploit/other information away.
See:
<http://www.whitehouse.gov/robots.txt>
For a few breathtaking pauses on the issue.
-Bop
More information about the PLUG
mailing list