I don't know very much about web site hacking exploits, so I have a question for those who do:

I have "Disable Directory Indexing" turned ON in my CNC.

If I create a sub-directory named "top_secret" under my www directory and put an index.html page in it, how hard would it be for a hacker to find (i.e. view) this page? [Assume the hacker doesn't simply "guess" the directory name or use a dictionary attack to find the directory name.]

I've wondered about something similar. I have a small script (a rather silly little thing to be concerned about, just a PHP md5() generator that I can plug in a value and quickly get the md5 equivalent string back for confirming stuff; I can do that locally now) that as far as I know is not linked from any other pages and has not been shared with anyone, yet some random person has emailed me a couple of times saying he/she really needs it for their own use. When I have asked how they discovered its location on the server, I got no reply. The file is in my /www/ folder along with an index file obviously, so I can't think of any way to see it without knowing the URL already.

There isn't a way of listing a directory's contents with an index file in place, is there? The only explanation I can think of is a mischievous packet sniffer (from FTP'ing the file to the server) or something, in which case one has to ask why the person would be dumb enough to not know how to build a 1 line script to echo an md5() equivalent if they know how to sniff packets...

Dan

If you leave your "private page" and visit another page...it could easily end up in their stats as a referrer... A lot of people log what page the visitor is coming from. To avoid such a simple mishap I would strongly advise password protecting files/directories that you would rather not have viewed by the public.

Deb
- Oh I was just in the neighborhood...

That's a good point. Always hard to tell when those non-referrer visits will get picked up. Although, in the case I mentioned above, I very much doubt I visited a page of the person who found out about that file. Maybe they hacked into someone's server logs who's site I had visited...

Dan

Does the referrer ever get logged if you open the link in a new window (e.g. when clicking links from your stats)?

I noticed Opera allows you to check or uncheck "allow referrer logging" in its quick preferences. I leave it on though because 99% of the time I don't want to deprive other webmasters of decent stats :)

I see that the CNC does not allow password protection of individual files. Is there someway of doing this, or does one have to stick the file in a directory and then password protect the directory?

Joe

You may find the following tutorial helpful:
http://www.aota.net/htaccess/pwprotect.php3

Note: You will need to make slight modifications to restrict it to protect only one file. The easiest way to do this is to place the "require" line within <FilesMatch> - for example:

AuthUserFile /big/dom/xdomain/protect/passwords
AuthName "Restricted_Access"
AuthType Basic
<FilesMatch mypage.html>
require user username
</FilesMatch>

Replace "mypage.html" with the name of the file you want protected.
Other than this, simply follow the rest of the tutorial as-is.

Deb
- Just one slice please

If your stats page is not password-protected, it would be easy to guess the address domain.tld/stats and harvest there. As for referrer sending, my browsers send it:

1. when clicking a link from any remote page,

2. when right-clicking from a remote page and selecting "open in new window,"

3. when clicking a remote page's link that opens in a new window (using "target"),

4. not, when clicking from a local page,

5. not, when typing in an address while another page is displayed;

6. and finally a weird one: if I "control-n" for a new page in IE 5, the same old referrer gets sent.

But I don't know about other browsers. There's probably a web page about it out there. You can use this to experiment:

<?php
$f= 'HTTP_REFERER';
print "$f [$_SERVER[$f]]<br>\n";
?>

In the good old days that would have been
HTTP_REFERER [<?php echo $HTTP_REFERER ?>]<br>.
Must be a plot by perl scripters to uggilfy php. :) And I like perl.


Here are some more weird ones:

7. The very early Compuserve browser, a version of Mosaic 1.0, sent your email address with each http request. If you deal with web forms, you discover many people think this is how all browsers work! You know, people who don't think they need to provide any contact info and that you will be able to reach them.

8. Tricky spider type people used to put an html image tag in the "user agent" part of the request. Then the picture would show up in your stats, simultaneously sending a "referer" to the tricky server with the image. Voila they had the address of your stats page, or analysis script. Do they still do this? Probably tags are now stripped.

9. That reminds me, a referrer is also sent for each picture on a page. The referrer is the page itself.


Also...
There isn't a way of listing a directory's contents with an index file in place, is there?
No answer yet, so I answer: no. [?]

I should have clarified what I meant by "hacking into server logs" before going to bed last night... I simply meant unauthorized viewing, such as not password protecting them.

4. not, when clicking from a local page,
I've seen plenty of localhost and local file system referrers in my stats...

Dan

Originally posted by dank:
I've seen plenty of localhost and local file system referrers in my stats...
That's good to know! I wonder if it was an oddball browser or a complex network/proxy thing, or maybe I just didn't test my browsers well enough: IE 5, Netscape 4, on Win98.

I couldn't tell you, I just know they find their way in there fairly regularly.

Dan

It would be quite simple to get "localhost" as a referrer in your stats.

For example, if I set up and run Apache on my home computer, and enter http://localhost in the Location bar, and if this takes me to my default page which contains a link to your site, and I click it. There, now you have localhost in your referer stats.

They explanation is simple enough, but I thought kitchin was saying there's a technical reason why that would not show up as a referrer, being non-nettish and all.

Dan

Sheila's talking about running server software on your computer. My computer is server-free! Just installing Front Page will put some kind of pretend server on there, but I'm out of my depth now. :)

A server is merely a program that sits there listening on a particular port (or ports) for incoming connections.

I'm not familiar with the "pretend" server included in Front Page, but I would wager it is an actual server, with limitations.

In order to test certain types of web page functionality, one needs to run a server. Probably the Front Page extensions require this. Or .asp scripts. Possibly the Front Page server listens on Port 80 (or some other ports) for connections from 127.0.0.1 only? This would make it useful only for the local user for testing the pages locally, and would not allow others on other IP addresses to connect to the server?

--I can conjecture with the best of them.

Going back to my original posting in this thread:

...Since I have my stats directory password protected and always close my browser after viewing my top_secret/index.html page, I guess I should be pretty safe then?

I don't password protect the top_secret directory because I want a couple friends to have access w/o having to enter a password.

I'm not worried about one of these friends exposing the URL by visiting some other web site. I just want to make sure a certain individual can't identify and view the page through some ingenious technical manipulation.

Since your stats directory is password protected, and you assume that someone would not easily be able to guess the name of the top_secret directory, then the only people would would be able to find that directory (and included files) without using dictionary attacks, would be other web masters who, viewing their stats, might have a link as a referrer from someone (one of your friends) who visited your pages and then went to the other website.

If you are not concerned about the links that your fiends might leave in other webmaster's stats, as referer entries, then I guess you are pretty secure with the set up you described.

Originally posted by sheila:
If you are not concerned about the links that your fiends might leave...Sheila, Thanks for your reply. Now I feel comfortable with my setup.

BTW, they're my friends, not fiends!! :noddy:

Ack! That is an embarrassing typo. :BPG2:

I guess I will leave it there, so your reply makes sense. :o

Now that I think of it, this is a rather interesting "feature" of how the 2 words are spelled. A friend can very easily become a fiend.

By the way, Scott, after thinking about this a bit more...I would have to go with Deb's recommendation to password protect any site that you don't want viewed by the public.

Even though it seems that it wouldn't be such a big deal, for your friends ;) to leave a link in some other site's referer logs, all it takes is one link to get out there for a spider to find it and crawl the site.

And, I have a story about that:

A few months ago, I was reading one of the newsgroups where I am a "regular" (k12.chat.teacher) and one of the other regulars had posted a link to some commercial site, that had apparently taken many of our posts to the newsgroup, and put them (without any attribution) into a forum of theirs. Many of us went and looked, and were astounded to see our own words taken without attribution and put into this other web forum. Many of us wrote angry emails to the parties involved demanding that this be stopped.

Then the story came out. Apparently, this was a developement server, that was not supposed to be publicly viewable. This company was "testing" their forums. (Why they had to do it with our Usenet posts, I'll never know. But if they had password protected the site, we would have been none the wiser. It was an educational site...or supposed to be.) What happened is that a cousin of one of the k12.chat.teacher regulars searched for her name at Google, and found a link to this test forum on this development server. He looked at the messages and then sent the link to her in an email. After that, she shared what had been found with the rest of the newsgroup.

After the many emails, a company representative replied to our emails and posted in the newsgroup.

Who knows how that one link got into Google that got this company into so much trouble with us? Dunno. It only takes a single link, though, for the spider to crawl the site. If the site had been password protected, this situation would never have happened.

--Food for thought.

All I can say is: wow.

Excuse me, I have to go add a password to my site...