|
Using Isapi / Apache rewriting to mask URL strings, for cosmetics and security |
||||||||
One of the more recent additions to my Coldfusion frameworks is masking the more ugly URL's using Isapi rewrite. In this article I'll be using Helicon's Isapi ReWrite, but Apache re write works in much the same way.
Usually in your Coldfusion frameworks, most other technologies as well, you are passing around a variable or two to control the page content, and more often than not it is in the url. It never looks particularly clean if your URL has a long name value query string behind it, like this:
Cosmetic reasons
So for two reasons URL rewriting seems like a good idea.
Firstly to mask those ugly URLS with a url rewriter. On a basic level this will re write specified request to the URL you tell it to, taking your ugly list of name value pairs and changing it into a user friend URL. If you are pitching this to a client this looks a lot more professional.
Security reasons
Secondly there is an added security benefit here. The URL gives a lot away about a website, like what the code base is, and is potentially a window on the internal workings of a website. Take a normal FuseBox application for example. The normal URL might be:
From here it is very easy to start messing around with the controller names, trying to dig out an 'admin' controller, or other common function controller. Similarly adding values to pages where it is obvious a Query has been fired is an easy way of testing of the developer is using 'cfQueryParam', with potentially disastrous results.
Along the same lines it is quite simple to inject form values into the URL (like this http://www.mccran.co.uk/index.cfm/2009/7/30/Cross-site-Script-hacking-using-the-GET-method). By masking the URL and the values you make it considerably more difficult to do this, after all if you can see or get to the URL, how can you fool around with it?
So far I am implementing a rewrite script that will rewrite URLs into friendly strings, here is a modified version of the .htaccess file I'm using.
2# Version 3.1.0.68
3
4RewriteEngine on
5RewriteBase /wwwroot/
6
7#generic
8RewriteRule requestID/(.*)/(.*)/ index.cfm?decryptURL=$1¶ms=$2
9
10# site pages
11RewriteRule home(/)? index.cfm?go=controller.home
12RewriteRule contact(/)? index.cfm?go=controller.contact
13RewriteRule login(/)? index.cfm?go=controller.login
14RewriteRule privacy(/)? index.cfm?go=controller.privacy
15RewriteRule about(/)? index.cfm?go=controller.about
16RewriteRule faqs(/)? index.cfm?go=controller.faqs
17RewriteRule search(/)? index.cfm?go=controller.search
This code starts off by turning the rewriteEngine on, then setting the rewriteBase, this is typically your webroot, or the root of the site the file is for. Then it rewrites any URL params to the URL string.
The main part of the code is where we set individual rewriteRule's for each URL. The first example (home) looks for any URL requests to the 'home' string, and re writes this to the URL in the regular expression (index.cfm?go=controller.home). Pretty straight forward really.
There is a lot more you can do with this, and hopefully I'll get to explore rewriting in more depth in the future.
|
How to remove sshnas.dll trojan (Remove trojan FakeAlert) and msa.exe |
||||||||
So whilst playing with some flash sites I managed to pick up the msa.exe virus, despite having a firewall (hard and soft) antivirus, and anti spyware.
It was the flsh injection virus, and it installed several files into windows 7, and a few sneaky .dll's to try and put it back again. SpyBot search and Destroy will kill it, and so will Microsoft Essentials.
SpyBot search and Destroy
http://www.safer-networking.org/en/spybotsd/index.htmlMicrosoft Essentials
http://www.microsoft.com/Security_Essentials/Alternately follow these instructions, they worked for me.
sshnas.dll is a component of trojan FakeAlert. The trojan come from malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. The filename of the trojan is flash-HQ-plugin. Once started, the trojan will download and install core components: c.exe, msa.exe and sshnas.dll.
When downloaded, it will be configured to start automatically when Windows starts. Trojan FakeAlert may display many popups and fake security alerts, hijack Internet Explorer, disable Windows Task Manager and Registry editor.Also it is usually installed in conjunction with a rogue antispyware programs.
Download OTM by OldTimer from here and save it to desktop. (It looks a bit home made, but it works great.)
Run OTM. Copy, then paste the following text in "Paste Instructions for Items to be Moved" window (under the yellow bar):
2SSHNAS
3
4:reg
5[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
6"Videohost"=-
7"SSHNAS"=-
8
9:files
10%windir%\msa.exe
11%windir%\system32\sshnas.dll
12%windir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
13%windir%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
14
15:Commands
16[emptytemp]
17[Reboot]
Click the red Moveit! button. When the tool is finished, it will produce a report for you. Then it will reboot the machine.
|
My handy IE CSS tweaks list |
||||||||
I'm not really a design kind of person, I like designing things, and I'm learning more and more CSS all the time, but it's the server side coding that I love like Apple Pie and custard.
Recently I've had to do a bit more design work, so I've been tripping all over myself to get CSS working in IE6,IE7,IE8 and firefox. I've learnt a few interesting things in the last few days, and I know I'm going to need to use them again. Some are considered 'hacks', some are just clever CSS techniques. They all feel a bit like secret rules of a club I'm not really a member of yet though.
So I'm making a handy list, so I don't loose them. I hope to refine and add to this on an ongoing basis, so if you know a better / easier way please let me know. After all coding standards are for life, not just Christmas, and I don't like the idea of anything being a hack, even if it is CSS.
Adding a 1px high line to IE
I am trying to add a 1px line, like a HR line to the page, it displays fat in IE?It seems that some versions of IE will display a div without content as the same height as your font size. Add html comments to it to drop it down to the right height:
2.yellow-ruler {color: #ffd520; background-color:#ffd520; width: 100%; height:2px; margin: 3px 0px 0px 0px;}
3</style>
4<div class="yellow-ruler"><!-- --></div>
IE is adding padding and margins to everything by default
I think there is a lot more information about this out there, but for now I've found that adding the code below will kill most of IE's random padding/margin issues.
I've built a JQuery accordion and the content doesn't move correctly
When expanding a JQuery accordion element the content underneath it is not moving down, and the accordion is expanding over it. This was a simple fix, but a bit of a pain to find. Just do not specify a height attribute on the div that hold the accordion, IE will stick to the height, but firefox will let it grow to be longer.
Styling form element borders
If you have a CSS rule like the one above that removes all the margins, padding and borders then all your form elements will have no border. IE your text fields and textareas etc will not have a clearly defined edge to them. By adding the line of CSS under this (select,input, etc) you can set the style width and colour of your form elements so that you control them, rather than the browser defaults. In Internet explorer this will also add borders to the checkbox and radio form elements. There does not seem to be any way of writing a CSS style to remove this inherently, so create a style of borderless and set all your radio and checkbox fields to "class=borderless".
2
3select,input,textarea{border-width: 1px; border-style: solid; border-color: grey;}
4
5/* IE stops the radio borders */
6.borderless{border: 0px;}
Strange IE positioning fix
Sometimes in IE (mainly 6) using position: absolute just does not render the div on screen. I am not sure why. Adding a "clear: both;" or a "clear: left;" or a "clear: right;" appears to fix this.
Easy centering of elements
I used to struggle with centering elements on a page all the time, but now you can do something like this:
2 margin-left: auto;
3 margin-right: auto;
4 width: 6em
5}
6
7<p class="blocktext">Text</p>
This will center a block of text and give it a width of 6.
For images you can do this:
2 display: block;
3 margin-left: auto;
4 margin-right: auto }
5
6<img class="displayed" src="..." alt="...">
That will auto center the image inside its containing div.
|
Using Isapi rewrite to serve up non existing templates |
||||||||
I was discussing some ideas for an application framework this morning with the team, and one of the issues we hit upon was having a common directory for templates, but serving them up as if they were from a different directory.
The idea is to have one instance of a reusable skinnable template, that appears to live on several sites.
IE all the content lives in "webroot/content/templateName.cfm", but is actually served up by many sites, IE "127.0.0.1/site1/template1.cfm", "127.0.0.1/site2/template1.cfm" ... etc
In this way they can be re skinned or adapted as needed, and they aren't database driven. The main stumbling block for the discussion was the need to actually create blank versions of each of the named templates, in each of the sites, as ColdFusion server would error on the request.
I spent twenty minutes trying to work it so that my Application.cfc's onRequest or onRequestStart method would intercept the request before it was actually made, but that just wasn't working. My other idea was to use the onMissingTemplate method, but the server is only running ColdFusion 7, so that was a no go (I figured I could catch the missing template request and just re path it, although I'd have to assess if that was really inefficient due to almost every page request logging as failed).
My eventual solution was Isapi rewrite. I am re writing all the requests to the same template, and just passing in the template variable. In that way I can request pages that don't actually exist, but they appear in the url.
Create an index.cfm template like this:
2<ul>
3 <li><a href="page1">Page 1</a></li>
4 <li><a href="page2">Page 2</a></li>
5 <li><a href="page3">Page 3</a></li>
6 <li><a href="page4">Page 4</a></li>
7</ul>
8
9<cfdump var="#url#">
10<!--- write a handler to go get the url var passed in --->
For this example I am using the free version of Helicon's Isapi rewrite, you can get it here: Link to Helicons Isapi re write
In the example below I have altered the first page link to look like it is actually a .cfm template request, just in case you want the url string to have a .fileextension look to it.
2# Version 3.1.0.68
3
4RewriteEngine on
5RewriteBase /mywebroot
6
7#no physical page testing
8RewriteRule page1.cfm(/)? isapitest/index.cfm?p=page1
9RewriteRule page2(/)? /index.cfm?p=page2
10RewriteRule page3(/)? /index.cfm?p=page3
11RewriteRule page4(/)? /index.cfm?p=page4
So when you fire it up and test it you just see /page1, /page2 etc, and the pages don't actually exist.
I'm not experienced enough with Isapi rewrite to know if there is a downside to this, but bookmarking in a browser still works correctly, so I can't see an issues at present.
