|
Home > Archive > Apache Server configuration support > August 2005 > Block FlashGet Site Explorer (spying your webserver directories)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Block FlashGet Site Explorer (spying your webserver directories)
|
|
| Robertico 2005-08-25, 7:56 am |
| The download manager FlashGet (former JetCar) has a feature called "Site
Explorer". (URL : http://www.amazesoft.com/)
With "Site Explorer" you can browse through the directories of your web
server (Apache).
FlashGet's "Site Explorer" fakes a Windows 98 system with IE
"GET / HTTP/1.1" 200 20385 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows
98)"
With "Site Explorer" and the download manager FlashGet you can download
everything that's displayed in "Site Explorer" (images, php-files etc)
From the manual:
The Site Explorer lets you explore FTP or HTTP servers. The site
explorer acts much like a Windows Explorer.
Quick Info:
Just type in a URL into the address bar to start browsing!
Double-click any files to download them (or open the directory).
What can we do to prevent this. Some directories must have read rights to
operate.
Regards,
Robertico
| |
| Richard Antony Burton 2005-08-26, 6:02 pm |
|
"Robertico" <Robertico@nomail.notvalid> wrote in message
news:dekffk$4vt$1@localhost.localdomain...
> With "Site Explorer" you can browse through the directories of your web
> server (Apache).
....
> With "Site Explorer" and the download manager FlashGet you can download
> everything that's displayed in "Site Explorer" (images, php-files etc)
....
> What can we do to prevent this. Some directories must have read rights to
> operate.
What exactly is it you are trying to prevent?
Access to specific content?
You can protect specific content that shouldn't be public with the auth
modules, or ideally don't put non-public information on a public server, but
that's probably not an option.
Directory browsing?
You can disable directory browsing to hide files that you don't actually
link to on any of your public pages, but this isn't really a good way to
protect content.
Consuming your bandwidth?
There are modules available to stop people using too much bandwidth. Try
mod_throttle, mod_bandwidth, etc.
Stealing all your content?
If you put it on a public site you can't expect everyone to simply not
download it. There are ways to try to stop people using leeching software to
rip down your entire site, though I'm not too familiar with those. The
modules mentioned above will make it harder/slower for people who try.
I might be able to give a better answer to your problem if you can explain
what it is specifically you are worried someone with this program will do to
your site.
Richard.
| |
| Robertico 2005-08-27, 8:01 am |
| Of course it's "public" content, but is don't like to show all my files
(even the php-files (source))
I have to make this content accessible to my webserver.
I already put an Index.html file in my directory to prevent that all the
content is shown in a'"normal" browser.
I already tried Options -Indexes in my httpd.conf-file, but that doesn't
work either.
With "Site explorer" you can download all the files without using the
website.
Maybe you can trie it yourself to see what's possible. I was surprised to
see some directories i supposed they were hidden.
It shows even the password protected directories, but they are not
accessible (fortunately)
Robertico
| |
| Richard Antony Burton 2005-08-27, 5:51 pm |
| Robertico wrote:
> Of course it's "public" content, but is don't like to show all my files
> (even the php-files (source))
If you have configured your site correctly (i.e. so php files are
executed, not simply served as plain text) there is no way for anyone to
download your source code (unless they have discovered a new exploit).
If they are able to with this tool, it is due to your server php
handling being misconfigured.
> I already put an Index.html file in my directory to prevent that all the
> content is shown in a'"normal" browser.
> I already tried Options -Indexes in my httpd.conf-file, but that doesn't
> work either.
If you have disabled automatic directory indexes and/or included a
default document in all your directories (and assuming you don't have
any scripts of your own that produce directory listings) there is no way
for them to browse your directories directly. The only content anyone
will be able to download is that which you link to yourself within your
own pages, or is linked to from an outside site.
What do your logs show? If the tool uses genuine referer headers then
you can see how the tool found it's way to the page in question, and
you'll probably find it has only managed to find the page because it
followed a link there or because your site isn't configured as you think
it is, not because it has special powers.
Richard.
| |
|
| "Robertico" <Robertico@nomail.notvalid> schreef in bericht
news:deps2v$nua$1@localhost.localdomain...
> Of course it's "public" content, but is don't like to show all my files
> (even the php-files (source))
> I have to make this content accessible to my webserver.
> I already put an Index.html file in my directory to prevent that all the
> content is shown in a'"normal" browser.
> I already tried Options -Indexes in my httpd.conf-file, but that doesn't
> work either.
Check your config for multiple Options settings, one cloaking the other.
Take notice of options in any .htaccess too.
If your Options -Indexes is in /.htaccess it might be ignored if the
allowoverride is not set for this category
> With "Site explorer" you can download all the files without using the
> website.
Where SE might not just follow your links, it will still depends on your
apache for its request.
So all of its request will be normally logged in your Apache's access_log.
If it gets more than you think it is entitled to, your httpd.conf has a
leak -or a link to a wide-open ftpd-!
> Maybe you can trie it yourself to see what's possible. I was surprised
> to see some directories i supposed they were hidden.
> It shows even the password protected directories, but they are not
> accessible (fortunately)
Neither does your frontdoor turn invisible after turning the key ...
Any link to a document can be chopped down to a list of files and folders,
probing each folder is the next step to explore them all.
HansH
| |
| Robertico 2005-08-27, 5:51 pm |
| FlashGet's "Site Explorer" fakes a Windows 98 system with IE.
Line from httpd-access.log after using "Site Explorer"
xxx.xxx.xxx.xxx - - [27/Aug/2005:20:07:07 +0200] "GET / HTTP/1.1" 200 21244
"-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Line from httpd-access.log after ussing MSIE:
xxx.xxx.xxx.xxx - - [27/Aug/2005:20:08:23 +0200] "GET / HTTP/1.1" 200 21272
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EnergyPlugIn;
dial)"
The "Site Explorer" lets you explore HTTP servers. The site explorer acts
much like a Windows Explorer.
Just type in a URL into the address bar to start browsing! Double-click any
files to download them (or open the directory).
> If they are able to with this tool, it is due to your server php handling
> being misconfigured.
If so (please try your own server first and maybe you'll also suprised) what
can i rectify ? It's not only with php-files :-((
No ftp running !!!
Sorry, i can't explain better, because english is not my native language.
Robertico
| |
| Richard Antony Burton 2005-08-27, 5:51 pm |
| Robertico wrote:
> FlashGet's "Site Explorer" fakes a Windows 98 system with IE.
That doesn't help it get anything from your site. Apache has no special
IE/98 open access mode.
> The "Site Explorer" lets you explore HTTP servers. The site explorer acts
> much like a Windows Explorer.
> Just type in a URL into the address bar to start browsing! Double-click any
> files to download them (or open the directory).
It's odd how much your description of this product sounds like the kind
of product description you would read on the advertising material. I did
a quick search on google which showed you asked about this in another
forum and were accused of posting spam.
> If so (please try your own server first and maybe you'll also suprised) what
> can i rectify ? It's not only with php-files :-((
No, I wont be suprised because I know what I'm talking about. And I
realise it isn't just php files it can download (it can download
anything that it can follow a link to), but we were talking about
specifically downloading the source of php scrips, which can only be
caused by a misconfigured server. This is not a feature of the product.
Additionally I'm not going to install something which appears to have so
many google hits when you seach with the word "spyware".
If you post some of your config files someone here will probably take a
look for you. You should also post the log entries that show the tool
accessing the php page in question in the instance it is able to get
your source, so we can see what url it is being accessed by. You may
have apache configured so that you can access the same page by two urls
(one being executed, and one just delievered as source).
On the other hand the more I think about it, the more I think you are
just spamming to try and get us to download this product. If not do feel
free to run the program against www.microsoft.com and let us all have
the source code for their web applications ;-)
Richard.
| |
|
| "Robertico" <Robertico@nomail.notvalid> schreef in bericht
news:deqh4t$vd6$1@localhost.localdomain...
> FlashGet's "Site Explorer" fakes a Windows 98 system with IE.
>
> Line from httpd-access.log after using "Site Explorer"
> xxx.xxx.xxx.xxx - - [27/Aug/2005:20:07:07 +0200] "GET / HTTP/1.1" 200
21244
> "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
>
> Line from httpd-access.log after ussing MSIE:
> xxx.xxx.xxx.xxx - - [27/Aug/2005:20:08:23 +0200] "GET / HTTP/1.1" 200
21272
> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EnergyPlugIn;
> dial)"
It's merely the request header 'User-Agent:' being logged and it's easy to
assume identity 'even' with IE:
Just change the registry entry ...
& #91;HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings]
"User Agent"="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4"
.... to have Ie impersonate as FireFox ;-)
In short, the 'user agent' is a client-provided, _none-proven_ identity !
handling[vbcol=seagreen]
I second this opinion.
[vbcol=seagreen]
> No ftp running !!!
>
> Sorry, i can't explain better, because english is not my native language.
Neither mine ... how is life at Solcom?
| |
| Richard Antony Burton 2005-08-28, 5:52 pm |
| Robertico wrote:
> I attached an image with a listing from www.grc.com and one from www.php.net
> with a downloaded php-file (renamed to contact.php.txt)
> If you have a server i'd like to take a look to convice you (no need to
> download or install this miserable tool)
Ok, the image of www.php.net site shows a list of files which the tools
knows about. It has found these simply by looking for links on the main
page. If you open www.php.net in your browser you will see a link to the
contact page at the bottom right. All the items it is showing you in
that image are simply based on links on the main page. It is not showing
anything that it shouldn't be able to access, or that a user couldn't
access themselves by clicking around with a browser.
The contact.php.txt file doesn't contain php source code. It contains
html that was created by the server running the php script. If you open
www.php.net/contact.php in your browser and use the View Source option
you will see the same thing. This is normal, and does not indicate a
problem with the webserver, or anything great about the tool.
Richard.
|
|
|
|
|