virtual domain name and relative URLs
by Charlotte Gardner <vgardner(at)mindspring.com>
|
Date: |
Mon, 28 Feb 2000 11:38:35 -0500 |
To: |
hwg-servers(at)hwg.org |
|
todo: View
Thread,
Original
|
|
Hello all,
I manage the website for the local chapter of a non-profit
organization. Lately, I've been talking with the organization's
sysadmin about security violations. Here's the scenario:
The sysadmin recently enabled virtual domain names for
us chapter webmasters to use. So, instead of:
http://www.myorg.com/chapters/mystate/mygroup/
I can now use:
http://mystate.myorg.com/mygroup/
Our chapter decided to use the virtual domain name as it is
much easier for the chapter members to remember and spell
correctly. However, I found out that when we called up the
online membership form with this address, it broke the link
to the form-handling script. In other words, the form's
"ACTION = /cgi-bin/FormHandler.asp" no longer worked.
The sysadmin said to use the absolute URL instead:
http://www.myorg.com/cgi-bin/FormHandler.asp
This worked, but I discovered that it introduced a security hole. Anyone
could potentially install a copy of the form in their web account and run
messages thru the myorg.com email server. We've since plugged the
hole by adding code to the FormHandler script to check the
HTTP_REFERER value.
However I began to wonder if, in general, using the absolute URL is
the best solution. Earlier, the sysadmin mentioned using this method
in other scripts and I'm concerned that other security holes will open up.
So my question is, is there a way for the sysadmin to configure the
server so that we webmasters can use relative URLs and virtual domain
names together?
TIA,
Charlotte Gardner
HWG: hwg-servers mailing list archives,
maintained by Webmasters @ IWA