I feel rather foolish, but I can't find the answer in my Apache docs
even though I'm pretty sure it's there. I'd be grateful for some
.

I have a page that is basically just a form for the user to fill in.
I want to populate one of the fields with the name of the page that
the user clicked from to get to the form page -- either the URL or
just the base name part. I'm sure there's some way to put a magic
string in the text of the page and have Apache replace it with that
information.

I want to do this purely in Apache (no Perl, PHP, ASP, etc., and of
course no Javascript).

Oh yes, this is only one page out of my site. Will turning on
Apache's whatever-it's-called feature degrade performance of all the
rest of the pages enough to worry about?

Thanks!

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/

Il 03/02/2007 23:38, Stan Brown dixit:
> I feel rather foolish, but I can't find the answer in my Apache docs
> even though I'm pretty sure it's there. I'd be grateful for some
> .
>
> I have a page that is basically just a form for the user to fill in.
> I want to populate one of the fields with the name of the page that
> the user clicked from to get to the form page -- either the URL or
> just the base name part. I'm sure there's some way to put a magic
> string in the text of the page and have Apache replace it with that
> information.
>
> I want to do this purely in Apache (no Perl, PHP, ASP, etc., and of
> course no Javascript).

Here it is something to read, where you'll find answers to all your
questions:
http://httpd.apache.org/docs/1.3/howto/ssi.html
http://en.wikipedia.org/wiki/Server_Side_Includes
http://bignosebird.com/ssi.shtml
http://www.apacheweek.com/features/ssi
http://www.yourhtmlsource.com/sitema.../includes.html

And if you want to do things in "Apache language" [1]:
http://en.wikipedia.org/wiki/Apache_language

HTH

Cyrus (the /googling/ virus)



[1] Apache is just a server, not a "language": it's like the mailman who
bring letters, but don't write them.

--
I love to be mailed just by smart people:
perl -we 'print "\12\142\145\162\156\141\155\141\100\151".
"\164\167\145\142\56\151\164\12\12";'
Spammers scratch here with a diamond to find my address:
|||||||||||||||||||||||||||||||||||||||||||||||

"Stan Brown" <the_stan_brown@fastmail.fm> schreef in bericht
news:MPG.202ed902e24f8d7e98a976@news.individual.ne t...
> ... I'm sure there's some way to put a magic
> string in the text of the page and have Apache replace it with that
> information.
http://httpd.apache.org/docs/2.2/mod/mod_include.html
'Think DOCUMENT_NAME or DOCUMENT_URI can make you happy.

> Oh yes, this is only one page out of my site. Will turning on
> Apache's whatever-it's-called feature degrade performance of all the
> rest of the pages enough to worry about?
AFAIK the performance impact will be minimum if you keep that file in a
folder of its own and active SSI only for that folder.


HansH

On 3 Feb, 22:38, Stan Brown <the_stan_br...@fastmail.fm> wrote:
> I feel rather foolish, but I can't find the answer in my Apache docs
> even though I'm pretty sure it's there. I'd be grateful for some
> .
>
> I have a page that is basically just a form for the user to fill in.
> I want to populate one of the fields with the name of the page that
> the user clicked from to get to the form page -- either the URL or
> just the base name part. I'm sure there's some way to put a magic
> string in the text of the page and have Apache replace it with that
> information.
>
> I want to do this purely in Apache (no Perl, PHP, ASP, etc., and of
> course no Javascript).
>
> Oh yes, this is only one page out of my site. Will turning on
> Apache's whatever-it's-called feature degrade performance of all the
> rest of the pages enough to worry about?
>
> Thanks!
>
> --
> Stan Brown, Oak Road Systems, Tompkins County, New York, USA
> http://OakRoadSystems.com/

I am not sure how much checking apache does to make sure that the
referring URL is actually a URL.
Be aware that the referring URL can be spoofed (made up by the user)
so make sure that when you echo the value to the screen you attempt to
get rid of special html characters.
Failure to do so allows social engineering attacks, where a user
receives a link to your site and could end up releasing and
other user login credentials.
This kind of XSS attack is just what people are looking for these
days.
So in my php script I would have this:
<?php print( htmlentities($_SERVER['HTTP_REFERER']) ); ?>
this prevents me setting the referer to a long string of javascript
designed to inject code and steal credentials.
The same goes for any data (like form data) that your user has typed
in, do not echo it directly into your page without some sanity checks
first.Although apache can obtain the values of these variables using
SSI, I'm not in a position to say how secure that info is.
Perhaps someone with more Apache experience of SSIs can tell you
though.

Sun, 4 Feb 2007 01:15:41 +0100 from HansH <hansh@invalid.invalid>:
> "Stan Brown" <the_stan_brown@fastmail.fm> schreef in bericht
> news:MPG.202ed902e24f8d7e98a976@news.individual.ne t...
> > ... I'm sure there's some way to put a magic
> > string in the text of the page and have Apache replace it with that
> > information.
> http://httpd.apache.org/docs/2.2/mod/mod_include.html

Thanks! I don't know what odd mental quirk had made me forget that --
maybe I was associating mod_include with including files as opposed
to text snippets.

> 'Think DOCUMENT_NAME or DOCUMENT_URI can make you happy.

HTTP-REFERER seems to be the one, since I want the name or URL of the
*previous* page and not this one.

> AFAIK the performance impact will be minimum if you keep that file in a
> folder of its own and active SSI only for that folder.

Excellent thought; thanks! In addition, following the suggestion I've
turned on the INCLUDES filter only for .shtml files, and this is the
only .shtml file on my site.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/

"Stan Brown" <the_stan_brown@fastmail.fm> schreef in bericht
news:MPG.202fb9f07c2ba74398a97e@news.individual.ne t...
>> http://httpd.apache.org/docs/2.2/mod/mod_include.html
> Thanks! I don't know what odd mental quirk had made me forget that --
> maybe I was associating mod_include with including files as opposed
> to text snippets.
>
>> 'Think DOCUMENT_NAME or DOCUMENT_URI can make you happy.
> HTTP-REFERER seems to be the one, since I want the name or URL of the
> *previous* page and not this one.
OK I must have missed the 'from' in your line:
... the user clicked from to get to the form page ...

Bare in mind the HTTP_REFERER is
- easy to temper wiht
- will be blank if the form was bookmarked
- might be disabled in some browser
- might be removed or trimmed by some anti-virus or firewall software

HansH

Sun, 4 Feb 2007 23:14:44 +0100 from HansH <hansh@invalid.invalid>:

> Bare in mind the HTTP_REFERER is
> - easy to temper wiht
> - will be blank if the form was bookmarked
> - might be disabled in some browser
> - might be removed or trimmed by some anti-virus or firewall software

Thanks for the reminders. The referrer is interesting information in
this particular application, but not critical. There's no particular
advantage to anyone suppressing or disabling it, but nothing awful
happens if they do.

I've already tested, and my form works right even if there's no
referrer, i.e. if someone goes directly to the page.

Again, thanks for the reminder -- and thanks for the initial pointer.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/

On 5 Feb, 02:30, Stan Brown <the_stan_br...@fastmail.fm> wrote:
> Sun, 4 Feb 2007 23:14:44 +0100 from HansH <h...@invalid.invalid>:
>
> > Bare in mind the HTTP_REFERER is
> > - easy to temper wiht
> > - will be blank if the form was bookmarked
> > - might be disabled in some browser
> > - might be removed or trimmed by some anti-virus or firewall software
>
> Thanks for the reminders. The referrer is interesting information in
> this particular application, but not critical. There's no particular
> advantage to anyone suppressing or disabling it, but nothing awful
> happens if they do.
>
> I've already tested, and my form works right even if there's no
> referrer, i.e. if someone goes directly to the page.
>
> Again, thanks for the reminder -- and thanks for the initial pointer.
>
> --
> Stan Brown, Oak Road Systems, Tompkins County, New York, USA
> http://OakRoadSystems.com/

Its not that your web page looks bad if the referer is tampered with,
it's that it is a security risk. Unfortunately this type of attack is
easy to do, can lead to your users data and privacy being attacked, it
can lead to a corruption of your stats, and inconvienience to you. It
is a legal issue as the accounts of your users are at risk.

If you need more information on how this type of attack works, google
for "referer field XSS"

I recently wrote to my ISP because they used the referer to fill in a
form much as you descibe, I tried to show the C#.NET developer how it
meant that in this case an attacker could steal the users session data
and log in as them. He didn't get it, so I wrote again, he got it that
time, but then started speaking about how random his sessions were and
so on and wrote back saying he wanted proof of concept. I left it
there as it's not my fight, if an ISPs head developer can't get it,
why bother.

Rule number one, don't echo stuff to the page without validating it.
In your case if you cannot use a serverside script like the simle one
mentioned earlier then use the request time, and have a script
somewhere that greps for that time in the logs, something simple like
that.