Mod_Rewrite Forums

Provided by ModRewrite.com

Skip to content

Restrict URL tampering with a rewrite rule for virtual hosts

New to mod_rewrite? This is a good place to start.
Post a reply

Restrict URL tampering with a rewrite rule for virtual hosts

Postby fyfasan » Sun Apr 19, 2009 11:42 am

Hi!

I'm using a produkt from Oracle called Application Express. This product uses the same URL structure for every call to the server.
I have two different applications installed on the same server and I have defined them as two virtual hosts in the Apache configuration file looking something like this:

Code: Select all
<VirtualHost *:80>
    ServerAdmin webmaster@domain1.no
    DocumentRoot C:/oracle/product/10.2.0/htp/Apache/Apache/htdocs/domain1.no
    ServerName www.domain1.no
    ErrorLog C:/oracle/product/10.2.0/htp/Apache/Apache/logs/domain1.no-error_log
    RewriteEngine On
    RewriteRule ^/$ /pls/apex/f\?p\=100:100 [R=302,L,NE]
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin webmaster@domain2.no
    DocumentRoot C:/oracle/product/10.2.0/htp/Apache/Apache/htdocs/domain2.no
    ServerName www.domain2.no
    ErrorLog C:/oracle/product/10.2.0/htp/Apache/Apache/logs/domain2.no-error_log
    RewriteEngine On
    RewriteRule ^/$ /pls/apex/f\?p\=103:100 [R=302,L,NE]
</VirtualHost>


When someone calls www.domain1.no Apache rewrites the URL to www.domain1.no/pls/apex/f?p=100:100
The same goes for calls to www.domain2.no. These calls are rewritten to www.domain2.no/pls/apex/f?p=103:100

The first value in the 'p' parameter (shown in red) tells Application Express which application to access.

The problem I'm having is that the user can change this application value in the URL and then get access to the other domain. For example if the user enters www.domain1.no in the browser. Apache rewrites this to www.domain1.no/pls/apex/f?p=100:100. Then the user changes the url to www.domain1.no/pls/apex/f?p=103:100. Then the user suddenly accesses the application for www.domain2.no with the wrong domain name.


Is it possible to check this application value in all calls to that given domain and rewrite this value back to the default if it has been tampered with?

Best Regards
Trond
fyfasan
 
Posts: 4
Joined: Wed Mar 11, 2009 12:19 pm
Top

Postby richardk » Sun Apr 19, 2009 1:07 pm

Will /pls/apex/f and :100 change?

Try
Code: Select all
<VirtualHost *:80>
    ServerAdmin webmaster@example.no
    DocumentRoot C:/oracle/product/10.2.0/htp/Apache/Apache/htdocs/example.no
    ServerName www.example.no
    ErrorLog C:/oracle/product/10.2.0/htp/Apache/Apache/logs/example.no-error_log

    RewriteEngine On

    # Break up the query string.
    # %1 = anything before p=
    # %3 = the "application ID"
    # %4 = anyting after :
    RewriteCond %{QUERY_STRING} ^((.*&)?)p=([0-9]+):([0-9]+(&.*)?)$ [NC]
    # If %3 isn't 100 they have changed the "application ID".
    RewriteCond %3 !^100$
    # Change it back.
    RewriteRule ^(/.*)$ $1?%1p=100:%4 [R=301,L]

    RewriteRule ^/$ /pls/apex/f?p=100:100 [NE,R=302,L]
</VirtualHost>
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am
Top

Postby fyfasan » Mon Apr 20, 2009 7:18 am

Hi!

Thanks for your reply :)

richardk wrote:Will /pls/apex/f and :100 change?


No, the application number 100 will not change for the domain.

I tried adding your suggested lines to the configuration file but I'm still able to change the application number.

Here are some lines from the rewrite_log. Maybe they can give a clue why this is not working?

Code: Select all
(2) init rewrite engine with requested uri /pls/apex/f
(3) applying pattern '^(/.*)$' to uri '/pls/apex/f'
(4) RewriteCond: input='p=103:1:3388569637903873' pattern='^((.*&)?)p=([0-9]+):([0-9]+(&.*)?)$' => not-matched
(3) applying pattern '^/$' to uri '/pls/apex/f'
(1) pass through /pls/apex/f
(2) init rewrite engine with requested uri /pls/apex/f
(1) pass through /pls/apex/f
(2) init rewrite engine with requested uri /i/javascript/apex_ns_3_1.js
(3) applying pattern '^(/.*)$' to uri '/i/javascript/apex_ns_3_1.js'
(4) RewriteCond: input='' pattern='^((.*&)?)p=([0-9]+):([0-9]+(&.*)?)$' => not-matched


Regards
Trond
fyfasan
 
Posts: 4
Joined: Wed Mar 11, 2009 12:19 pm
Top

Postby richardk » Mon Apr 20, 2009 7:35 am

No, the application number 100 will not change for the domain.

I meant like :100 is different to :1:3388569637903873. Does /pls/apex/f change?

Replace
Code: Select all
^((.*&)?)p=([0-9]+):([0-9]+(&.*)?)$

with
Code: Select all
^((.*&)?)p=([0-9]+):(.+)$
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am
Top

Postby fyfasan » Mon Apr 20, 2009 8:58 am

I meant like :100 is different to :1:3388569637903873. Does /pls/apex/f change?


Sorry for the misunderstanding. Yes the URL after the application number do change (As you saw in the log file). This is also true for /pls/apex/f

There are three main URLs. These are:

Code: Select all
/i/tegn/<some file>
/pls/apex/TEGN.show_image?p_file_id=<some_id>
/pls/apex/f?p=100:6:1260579780550809:VIEW:::<parameters>:<values>


I have changed the configuration file and everything seems to be working great now. The first two URLs seems to pass through unaffected and if I change the application value from 100 til 103, in the last URL, it is rewritten to 100 again.

Do the two first URLs cause any problem with the RewriteCond you made?

Trond
fyfasan
 
Posts: 4
Joined: Wed Mar 11, 2009 12:19 pm
Top

Postby richardk » Mon Apr 20, 2009 9:16 am

Do the two first URLs cause any problem with the RewriteCond you made?

No, it should work with no problems. The RewriteRule matches all URLs. If you wanted to, you could have it so it only matches those URLs.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am
Top

Postby fyfasan » Mon Apr 20, 2009 9:47 am

Ok.

Thank you so much for helping me with this problem!!

Best Regards
Trond
fyfasan
 
Posts: 4
Joined: Wed Mar 11, 2009 12:19 pm
Top
Post a reply

Return to Beginner's Corner

Who is online

Users browsing this forum: No registered users and 6 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Translated by Maël Soucaze © 2009 phpBB.fr
cron