Restrict Access to Page

Forum|Forum|19 years ago
August 22, 2006
7 replies
386 views

Hi,

I'm using the Restrict Access to Page server behavior. If a user is not
logged and enters upload.php he should be redirected to ab_admin.php.
That works, but in the address field the url is displayed as:

http://localhost/aba03/miscel/ab_admin.php?accesscheck=%2Faba03%2Fmiscel%2Fupload.php

What about these "%2"-entities? I didn't change anything in the source code.

Regards
carl

Server side applications

This topic has been closed for replies.

N

Newsgroup_UserAuthor

Inspiring

no worries mate. let me know as well if you find anything nasty about this,
or an easy solution.

the only thing I can think of, is *perhaps* you could spoof a page that had
a different clearance level with an url spoof and try to get into higher
level pages than your username typically allows you.

i'll check on that today at some point.

"carl" <carl@nospam.net> wrote in message
news:echnoa$196$1@forums.macromedia.com...
> Thank you, Jon !!
>
> Carl
>
> crash wrote:
>> :) I can tell you what's going on. Just not why it's setting it as it as
>> instead of a session variable or something.
>>
>> i didn't find anything while looking at this yesterday that said it would
>> cause a problem- the only thing I found was a reference to Opera having a
>> vulnerability in regards to the %2f as it relates to domain spoofing.
>>
>> Looking like everything should be fine, just not pretty. I'll post back
>> if I find contrary information.
>>

N

Newsgroup_UserAuthor

Inspiring

Thank you, Jon !!

Carl

crash wrote:
> :) I can tell you what's going on. Just not why it's setting it as it as
> instead of a session variable or something.
>
> i didn't find anything while looking at this yesterday that said it would
> cause a problem- the only thing I found was a reference to Opera having a
> vulnerability in regards to the %2f as it relates to domain spoofing.
>
> Looking like everything should be fine, just not pretty. I'll post back if
> I find contrary information.
>

N

Newsgroup_UserAuthor

Inspiring

:) I can tell you what's going on. Just not why it's setting it as it as
instead of a session variable or something.

i didn't find anything while looking at this yesterday that said it would
cause a problem- the only thing I found was a reference to Opera having a
vulnerability in regards to the %2f as it relates to domain spoofing.

Looking like everything should be fine, just not pretty. I'll post back if
I find contrary information.

HTH,

Jon
"carl" <carl@nospam.net> wrote in message
news:ecfquq$maa$1@forums.macromedia.com...
> Hi Jon,
>
> wow - I'm not the only one with that code (that's somehow satisfying).
> Perhaps someone could tell us what's going on.
> Thank you for the response.
>
> Carl
>
>
> crash wrote:
>> It didn't - your server did. What it's doing is creating a string
>> variable to feed to your login page to tell the login page (which is
>> located at whatever/login.php) where to redirect your browser to after
>> it's logged in.
>>
>> I see I have it as well. I don't know if it raises any valid security
>> concerns or not, but I would sure rather have it hidden...

N

Newsgroup_UserAuthor

Inspiring

Hi Jon,

wow - I'm not the only one with that code (that's somehow satisfying).
Perhaps someone could tell us what's going on.
Thank you for the response.

Carl

crash wrote:
> It didn't - your server did. What it's doing is creating a string variable
> to feed to your login page to tell the login page (which is located at
> whatever/login.php) where to redirect your browser to after it's logged in.
>
> I see I have it as well. I don't know if it raises any valid security
> concerns or not, but I would sure rather have it hidden...

N

Newsgroup_UserAuthor

Inspiring

It didn't - your server did. What it's doing is creating a string variable
to feed to your login page to tell the login page (which is located at
whatever/login.php) where to redirect your browser to after it's logged in.

I see I have it as well. I don't know if it raises any valid security
concerns or not, but I would sure rather have it hidden...

Jon

"carl" <carl@nospam.net> wrote in message
news:ecfch0$4nr$1@forums.macromedia.com...
> crash schrieb:
>> http://www.w3schools.com/tags/ref_urlencode.asp
>>
>
> Thank you - "%2f" means a slash. But why does D8 input these slashes (I
> didn't), where do they come from?
>
> Carl

N

Newsgroup_UserAuthor

Inspiring

crash schrieb:
> http://www.w3schools.com/tags/ref_urlencode.asp
>

Thank you - "%2f" means a slash. But why does D8 input these slashes (I
didn't), where do they come from?

Carl

N

Newsgroup_UserAuthor

Inspiring

http://www.w3schools.com/tags/ref_urlencode.asp

"carl" <carl@nospam.net> wrote in message
news:ecf8n9$66$1@forums.macromedia.com...
> Hi,
>
> I'm using the Restrict Access to Page server behavior. If a user is not
> logged and enters upload.php he should be redirected to ab_admin.php. That
> works, but in the address field the url is displayed as:
>
> http://localhost/aba03/miscel/ab_admin.php?accesscheck=%2Faba03%2Fmiscel%2Fupload.php
>
> What about these "%2"-entities? I didn't change anything in the source
> code.
>
> Regards
> carl

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded