I am trying to use Response.Flush() with IIS URL Rewrite outbound rules but I get the result on Chrome only after the end of the vb.net page executions.
Any ideas?
Related
I found a vulnerability for content-spoofing on my webpage.
This URL:
https://www.mygreatsite.com/www.mygreatsite.com%20has%20moved%20to%20www.evilsite.com.%20CHECK%200UT%20H0W%20COOL%20THE%20NEW%20SITE%20IS!%20Sadly,%20the%20file%00
Apache Output:
Not Found
The requested URL /www.mygreatsite.com has moved to www.evilsite.com. CHECK 0UT H0W COOL THE NEW SITE IS! Sadly, the file was not found on this server.
--
The URL Overrides the Apache-Error and outputs the text added to the URL in the Browser, along with a 404-Error.
Actually, all requests to the server should be redirected to the CMS (Typo3) which in turn handles the 404-error and shows a custom page.
When I enter an URL that doesn't exist, this works perfectly. Just the above mentioned URL screws everything up.
Interestingly, when I delete the «%00» from the end of the URL, the request is forwarded to the CMS and the correct error document is displayed.
I tried to add a separate ErrorDocument-Directive to the htaccess-file - with no success.
Any ideas what goes wrong and how I could solve this?
As Anubhava points out, when a NULL-Byte is detected, Apache doesn't load any modules and just throws the 404. That's why ErrorDocument and mod_rewrite in the htaccess don't work.
[Edit for clarification]
%00 or in Hex \x00 is a NULL byte. When web server finds a NULL byte at the end then web server thinks it is a spoofing request and considers it to be dangerous to be processed by any directives.
Due to security reasons web server doesn't load any modules for this request and returns a 404 / Not found status. Browser shows default 404 page with your decoded URL just below Not Found text.
When you use modrewrite to rewrite your urls, when does the rewrite occur. Will the user be able to see the url before rewrite, when hovering over the link? When they hover over a link will their browser display the rewritten url or the url before it was modified with modrewrite?
The rewrite is done in the server so the user will never know,
PHP also doesn't know what link its pointing to only the script file
mod_rewrite acts on the server side, meaning that apache rewrites incoming URLs before responding to the request. Any HTML links you add to a page will point to the URL you entered, as mod_rewrite doesn't modify any outgoing data.
The rewrite occurs when Apache has parsed the request - before the PHP interpreter has been started.
I'm new to Apache mod_rewrite but I was able to get it to work for simple URL translation for static pages accessed using the GET method.
I'm having trouble to get the URL translation to work for web services though. Basically all I want is to redirect the request from Apache to tomcat that runs under 8093 . I tried:
RewriteRule myproject/myservices/myService/(.*) http://www.localhost:8093/myproject/myservices/myService/$1
But I get a "The document has moved here" response. Any ideas would be appreciated. Thanks.
I think the problem is that your request is only rewritten, but not proxied. You could try to append [P] at the end or look into mod_proxy: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
I am using the following code to try and redirect to https, it is not working. This code has been suggested as the answser for redirects on numerous other posts.
If Not Request.IsLocal AndAlso Not Request.IsSecureConnection Then
Dim redirectUrl As String = Request.Url.ToString().Replace("http:", "https:")
Response.Redirect(redirectUrl)
End If
Anyone have any ideas on what I can check, using fiddler now to look at traffic.
SSL is set in IIS 6, cert is correctly installed on site.
What else am I missing?
Thanks.,
If you're testing locally, then your first If condition will be met and it will never go to HTTPS. Anything in the log file if that's not the case? Any error returned on page?
We have a web resource that can be accessed with a URL/URL of the form:
http://[host1]:[port1]/aaa/bbb.ccc?param1=xxx¶m2=yyy...
However, we are working with an external (i.e., not developed by us, so not under our control, i.e., we can't change it) client app that is attempting to access our resource with a URL that looks like:
http://[host2]/[port2]/ddd/fff/param1=xxx¶m2=yyy...
In other words, the client is including the "query string" (the ?param1=xxx¶m2=yyy... part) as if it's part of the URI, instead of as a proper query string.
We have a separate Apache proxy instance, and we're thinking that we could use that with some RewriteCond/RewriteRule to take the incoming requests (the ones with the query string at the end of the "URI", and without the "?") and rewrite the URI to a "proper" URI with a "proper" query string and then use that modified/re-written URI to access our resource via proxy.
We'd also like to do that without having an HTTP re-direct (e.g., 30x) going back to the client, because it appears that they may not be able to handle such a re-direct.
I've been trying various things, but I'm not that familiar with Apache mod_rewrite, so I was wondering if someone could tell me (1) if this is possible and (2) suggest what RewriteCond/RewriteRule would accomplish this?
P.S. I have gotten some progress. The following re-writes the URL correctly, but when I test, I'm seeing a 302 redirect to the re-written URL, instead of Apache just proxying immediately to the re-written URL. Is it possible to do this without the re-direct (302)?
<Location /test/users/>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/(.*)/param1=
RewriteRule ^/(.*)/param1=(.*) http://192.168.0.xxx:yyyy/aaa/bbbbb.ccc?base=param1=$2
</Location>
Thanks, Jim