This code is insecure and subject to HTTP Response Splitting. You
need to validate the various CGI variables before responding with a
302 redirect. Or, preferably, you use DNS to resolve both URLs to the
same server.
http://en.wikipedia.org/wiki/HTTP_response_splitting
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Apr 25, 2008, at 9:53 AM, Ajas Mohammed wrote:
Hi,
I have a client who has url say www.xyz.com. They want a new url www.abc.com
so that when user enters www.xyz.com, the user should see
www.abc.com in his address bar of browser. Basically an alias/
redirection with address bar showing the new url. I could have done
redirection by dns names/url redirection at website level but
problem is I have a subfolder application i.e. www.xyz.com/subapp.
Now if I do dns/url redirection, and user tries to access subfolder
application with this url, www.xyz.com/subapp/home.cfm, it takes the
user automatically to www.abc.com/home.cfm i.e. the main application
without the subfolder application, and I dont want that. It should
take user to www.abc.com/subfolder/home.cfm.
So to avoid this redirection at the website level, I added this code
in Application.cfm
Code:
<!-- Relocate if not a secure connection -->
<cfif cgi.SERVER_PORT is "80" and CGI.SERVER_PORT_SECURE is "0">
<!---replace xyz with abc --->
<cfset x = "https://
#Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#">
<cfif cgi.query_string is "">
<cfset y = "">
<cfelse>
<cfset y = "?#cgi.query_string#">
</cfif>
<cflocation url="#x##y#"><cfabort>
<cfelseif cgi.HTTP_HOST contains "xyz">
<!---replace xyz with abc--->
<cfset x = "https://
#Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#">
<cfif cgi.query_string is "">
<cfset y = "">
<cfelse>
<cfset y = "?#cgi.query_string#">
</cfif>
<cflocation url="#x##y#"><cfabort>
</cfif>
My question to you guys is that
1. is this a good practice ?
2. do you see any security issues?
3. any performance issues?
4. does it ring any bells?
5. anything obvious iam missing here or do you have a better solution?
Thanks,
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
"Live as if you were to die tomorrow. Learn as if you were to live
forever."
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
