Philhosting.Net | Internet Articles | Updates | Tips & Tricks » Tutorials

URL Masking - Attainment and Prevention

Root — Fri, 04 Jul 2008 13:34:39 +0000

This article does two things: It tells you how to do URL masking. And, it tells you how to protect yourself if someone is masking your web pages without authorization.

URL masking is covering up a URL with a different one. It presents one URL when the actual URL is something different.

Causing the browser’s address bar to show a URL different than the actual URL of the web page being viewed is one definition of URL masking. Another definition is to cause a link URL to show in the browser’s status bar different than the URL of the web page being linked to.

This article addresses the first definition of URL masking. One URL is in the browser’s address bar. The web page being displayed in the browser window is at a different URL.

I will describe several ways to mask URLs. I will also show how to frustrate those who would mask your web page URLs without your consent.

When you know how to accomplish it and how to prevent it, you are that much more in control of your web site.

Here are the three methods of masking URLs addressed by this article:

With frames.
With Apache rewrite.
With page retrieval software.

There are defenses from the first and third method that site owners can employ to prevent that kind of maneuvering. The second method needs no defense because only someone with access to the domain can use it.

URL Masking With Frames

Two different types of frames can be used to present a web page in the browser with a URL different than the URL in the address bar.

The FRAMESET tag.
The IFRAME tag.

In both methods, when the web page with the frame is loaded into the browser, the frame web page’s URL is in the browser’s address bar even while the browser window displays a web page located at a different URL.

The frames web page originally loaded into the browser and the web page retrieved from elsewhere may be on different domains.

Using The FRAMESET Tag For URL Masking.

This method hides all visual cues that the web page being displayed is not at the URL in the browser’s address bar (unless the web page being displayed itself contains images or wordage that provide clues).

What you do is create a FRAMESET web page that loads the target web page.

Make a web page with the following code. Change the URL in the third line of the code to the URL of the web page to be displayed in the browser.

Put only the above into the FRAMESET web page. Use no HTML or BODY or other normal web page tags.

Upload the FRAMESET web page to your server. Load the FRAMESET web page into your browser.

You’ll notice that the URL of the FRAMESET web page is in your browser’s address bar even while a different web page, the one you specified in the third line of the above code, is displayed in the browser window.

That’s the simplicity of URL masking with a FRAMESET tag.

Help with .htaccess files

Root — Thu, 03 Jul 2008 16:48:13 +0000

Please note that .htaccess files affect ALL subdirectories of the folder it is placed into.

To create a .htaccess file in windows, use notepad to create a new document, and save it as htaccess.txt. When you have uploaded it to the server, simply rename it .htaccess

Once uploaded, the .htaccess file may disappear from view, this is because it is a hidden file, and some FTP clients do not automatically show hidden files.

ErrorDocument

To make your own custom error pages, create a new document in notepad, and enter the following line:

ErrorDocument XXX /path to your/errordocument.ext

Where
XXX - is the errordocument you want to replace i.e.
401 Not authorised
403 Forbidden
404 Page not found

/path to your/errordocument - is the path to your error page relative to the httpdocs folder (ie /error/404.php)

and .ext is the extension you want the page to have, i.e.
.html
.php

Save the file as htaccess.txt, upload it to your httpdocs folder, and rename it to .htaccess

Example:
ErrorDocument 404 /error/404.php

Note:
You cannot call the directory where you store your error pages error_docs

Tips

Other useful .htaccess tips

If you’ve uploaded an .htaccess file, and you can’t see it in your FTP client, then you will need to add a filter. Somewhere in the settings, there will be an option to add a remote filter, you need to add -a which will tell your FTP client to show hidden files (on linux hosting servers, files starting with a . are hidden).

To make a directory show a list of files, rather than auto-load an index file, put the following line into an .htaccess file in the directory you want to ‘index’:

Options +Indexes

To change the default index file for a directory, put this line:

DirectoryIndex somefile.ext

Where somefile is your filename, and ext is the file extension (php, html)

Example:
DirectoryIndex home.php

To run PERL scripts outside the cgi-bin, put this line into the .htaccess file for the directory where you want to run the PERL script:

Options +ExecCGI
AddHandler cgi-script .cgi .pl

To block a certain IP from viewing a folder (or your whole site), you need to add the following lines:

Order Allow,Deny
Allow from all
Deny from IP.TO.BLOCK

Where IP.TO.BLOCK is the IP address you wish to stop accessing your site/folder

How To Use SSI (Server Side Includes)

Root — Thu, 03 Jul 2008 16:00:13 +0000

Purpose

An SSI (Server Side Include) allows the webmaster to include content that is reused on many pages by updating the content one time. It’s also a way to have dynamic content on your pages within updating the HTML code or using FTP.

Users

The webmaster is the primary user of the SSI.

What is an SSI?

SSI (Server Side Include) is a directive that is placed within HTML pages, and evaluated on the server as the server sends the page to the browser. It allows you, the Webmaster, to add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

What’s that you say? As a Webmaster, you can divide your page into parts. For example, these might be: header, navigation bar, content well, text insert, site footer, and copyright footer. The parts that you want to appear on several pages on your site, like the header, navigation bar, and footers can be stored separately as text files and imported dynamically into all the pages where they are used. As you update the content well (that piece which changes frequently) or any other piece, the browser assembles the parts dynamically, and the page is displayed to the site visitor as if the page had been created as a single unit. In fact, when you look at the source code from the browser window, it’s a seamless unit. The “magic wand” that “glues” the pieces together is an SSI.

Why use a server side include?

The advantage of using a server side include in a page is that the browser builds the page using the latest version of the included file and dynamically updates all the pages using that block the next time the pages are refreshed or loaded by the browser. Thus, blocks of code that are reused in many pages only have to be updated once. SSI use can work like frames, without the disadvantages of using a framed site.

The example in Appendix A (311K PDF) uses several server side includes to assemble designated blocks of code that might be used repeatedly throughout a related set of web pages. Using SSI’s is a good way to place headings, navigation elements, News Box Publisher, Tool Central NewsPublisher or Calendar Box Publisher content, as well as local and site-wide footers in a web page. The text SSI (server side include) used in this example is processed on the fly by the server as the page is rendered by the browser for the site visitor.

Note: MCPS servers DO NOT support SSI execs that execute a program on the server because they pose a high security risk to our servers.

What does a server side include look like?

The format of the server side include of text is one line of code:

#include file=”filename.txt” or
#include virtual=”/directory/filename.txt”

If the browser can’t process this kind of statement (If browser is too old, pre-Netscape 4.0 or IE 5), it will skip the command and try to display the include statement as text on the page. To avoid this situation, we place the command inside of HTML comment tags thus:

That’s it. One line of code tells the browser “go get this file and insert it here.”

Changing file extensions to .shtm or .shtml

It can’t be that easy, can it? Well, there are a couple of other little things you need to do once for each page. You must use the file extension .shtm or .shtml instead of .htm and .html. This is simply a naming convention that says “This html file includes Server commands - please parse it before delivering to the browser site” (hence the “s”). That way parsing can be skipped for all “plain” .html [or .htm] files. Shtml is the default extension for a page with server-side includes.

Keeping your visitors coming to your site after changing file extensions

The last thing you need to do is keep your friends who used to view your page at the .htm or .html URL address. When using the SSI, you’re actually changing your home page name from index.html to index.shtm. If you delete the old index.html and put up index.shtm, your new page is the default. It displays in the browser when your directory is opened and everybody’s happy. Few will even notice that the page name has changed.

But, if a visitor has bookmarked or linked to the page named index.html, and they use their bookmark or link to return to your page, it won’t be there anymore. The site visitor will see 404 — Page not found. What can you do so you don’t lose this site visitor? You can make a redirect page to send those seeking the old index.html and forward them to your new page now named index.shtm. An example of this code is included in How to Make and Use a Redirect. It’s good practice to put up a redirect to replace the old index.html to avoid frustrating your site visitors.

Make the pieces to assemble

The pieces are made in the same way you make your pages. The pieces, though, only include their part of the page. You don’t need any , or tags as you need for a complete page. You can preview your “piece” in your HTML editor the same way you’d preview an .html page. To make the piece into an includable file, save it as a text file. Give it an identifiable name with the suffix of .txt ( i.e. footer.txt) and save it in your school/office root directory. You’ll need one text file for each include command in your web page.

Easy as pie… That’s the essentials of using SSI.

Setting up mail accounts in Outlook

Root — Wed, 02 Jul 2008 09:03:36 +0000

The following is a simple tutorial on how to setup mail accounts in outlook. The screen shots taken are from WindowsXP but are applicable to most versions of Outlook.
Home

Beginning

First of all you need to open the mail program and then select the “Tools” option. From this menu select the “e-mail accounts” option. This allows you to setup and configure your mail accounts.

Adding a new mail account

This menu gives you access to add a new email account, and to view/change your current email accounts already created. You need to select the “Add a new e-mail account” option, then click Next.

Select your name

Here you need to select the type of account you wish to create. You should select either POP3, or IMAP. With POP3, it will download all of the mail to your computer. With IMAP, it will leave the mail on the server.

Select your reply address

On this screen, the name you choose as “Your name”, will be the name people see the mail being sent from. The address you use in “E-mail address”, will be the email address people see the mail being sent from.
Most people choose the email address they are sending from. For example: if your email address is me@me.com, you will most likely want the reply address to be me@me.com

There are also two server addresses you must complete, one for incoming mail and one for outgoing mail.

For some Internet Server Provider (ISP), there is a restriction in using SMTP server and you need to use their ISP SMTP server for you to send an email. In the incoming mail server field, you need to enter: mail.yoursitename, so if your address is me.com you want to use mail.me.com
For the outgoing mail server (SMTP) you should consult your ISP (the company who provides your Internet connection). Most ISP’s provide an SMTP server of the form: smtp.ispname or mail.ispname If they cannot provide you with this, we can offer SMTP as an upgrade.
The logon information is the username/password you must use when collecting your mail. If you have created your own mail account via the siteadmin interface you should set the account name/password to the email address/password you chose. Otherwise you should use the email address/password provided in your welcome email.

All done

Simply select finish and you are now all ready to receive your email through outlook.

Managing Web Directories

Root — Tue, 01 Jul 2008 07:59:57 +0000

Plesk allows you to see the directories of your domain the way they are seen from the web and manage their protection and settings. Generally, there are two types of directories, physical and virtual ones. Physical directories are the actual directories present on the server’s hard drive while virtual ones are only abstraction, a kind of links to the existing physical directories. Therefore, virtual directories are not visible in regular file manager but you can see and manage them on the Web Directories screen at the Domain Administration page.

Further, URLs for directories may be protected and unprotected. Everybody can access unprotected URLs, while only privileged users can access URLs with protection.

While working with the Web Directories screen, there is a notion of current directory. It is written in the title text of the page (by default, it is “Web directory /”). All the actions accessible on the screen affect the current directory. To change the directory, click on the desired name in the Web directories list. The title text will be updated to reflect the change.

Each entry in the directories list has three icons at the right side. First one allows you to open the corresponding directory in browser. The next one allows changing preferences of the directory. It is accessible only for virtual directories. The last one allows editing permissions.

If the current directory is virtual, four tabs are shown at the top of the page:

General. This is the tab where you can change the current directory and change its properties.
MIME Types. Here you can define what types of files the web server can handle in the current directory.
Error documents. Allows you to change custom error documents for the web server errors. For using this feature, you should allow this on the domain setup page (the Custom Error Documents checkbox).
Protection. Used for managing protected URLs.

If the current directory is physical, only General and Protection tabs are shown.

Preferences on each of them affect the current web directory. There are three available buttons on the General tab:

Add New Virtual Directory. Press it to add a new virtual directory in the current directory.
Preferences. Manages the properties of the current directory. Available only for virtual directories.
Permissions. Allows you to define what types of actions different user types can carry out with the current directory.

Managing Directory Preferences

To change properties of the current directory, press the Preferences button on the General tab. The following page will appear:

At this page you can change the properties of the given virtual directory, and add and remove nested virtual directories.

The Name field contains the name of the current virtual directory. You can rename the directory by entering the new name in this field.

In the Path drop-down list, select the path to the physical directory where the virtual directory resides.

Select the Script source access to allow users to access source code if either Read or Write permissions are set. Source code includes scripts in ASP applications.

Select the Read permission checkbox to allow users to read files or directories and their associated properties.

Select the Write permission checkbox to allow users to upload files and their associated properties to the current virutal directory or to change content in a write-enabled file. Write access is allowed only when a browser that supports the PUT feature of the HTTP 1.1 protocol is used.

Select the Directory browsing box to allow users to see a hypertext listing of the files and subdirectories in this virtual directory. Because virtual directories do not appear in directory listings, users must know a virtual directory’s alias. If Directory browsing is disabled, user does not specify a file name and the default content page (see below) is disabled, the Web server displays an “Access Forbidden” error message in the user’s Web browser.

Select the Log visits checkbox if you want to store the information on visiting the current directory.

The Create Application checkbox makes the virtual directory an IIS Application. The directory becomes logically independent from the rest of the web-site.

The Execute permissions option determines the program execution level allowed for this site’s resources.

Set permissions to None to allow access only to static files such as HTML or image files.

Set permissions to Scripts only to allow running scripts only, not executables.

Set permissions to Scripts and Executables to remove all restrictions so that all file types can be executed.

Select the Enable parent paths checkbox to allow using double period in the pathname when referring to a folder above the current virtual directory. This makes users able to move up the folder tree without knowing the folder name or the whereabouts in the hierarchy. If the option is selected, parent paths should not have the Execute permission so that applications do not have the ability of unauthorized running of programs in the parent paths.

Select the Enable to run in MTA checkbox to allow the application execution in multi-threaded apartment (MTA) mode. Otherwise, the application runs in single-threaded apartment (STA) mode. Using STA, each application pool is executed in a dedicated process. With MTA, several concurrent application pools are executed in one thread which can increase performance in some cases.

The Enable default content page checkbox allows use of a default document for the current virtual directory. The default document is sent when users access the directory on the Web without a specific file name (e.g. using http://www.swsoft.com as opposed to http://www.swsoft.com/index.html). If this checkbox is deselected and the Directory browsing checkbox is enabled, the Web server returns a folder listing. If it is deselected and theDirectory browsing checkbox is disabled, the Web server returns an “Access Forbidden” error message.

IIS searches for the default documents in the order specified in the Default documents search order field and sends user the first available file it finds. If no match is found, IIS behaves as in the cases when the default content page is disabled.

Select the Enable anonymous access checkbox if you want to make the directory public so that web users could access it without authentication.

Select the Require SSL checkbox to enable SSL-only access to the folder.

Click OK to submit your changes.

Managing Web Directory Permissions

Plesk allows setting up permissions for a web directory; this way you control what types of actions different uses can perform with the directory. To manage permissions of the current web directory, click the Permissions button on the General tab. The following page will open:

When setting permissions for folders: using the appropriate checkboxes, allow or disallow users to view the folder and its contents, to create files within the directory, and to traverse the directory. You can also select appropriate checkboxes in All Actions column if you want to allow or deny all operations for the given user/user group.
When setting permissions for files: using the checkboxes, allow or disallow users to read and write to the file, and define permissions for file execution. You can also select appropriate checkboxes in All Actions column if you want to allow or deny all operations for the given user/user group.

Select the Show additional users checkbox for users with non-defined access rights to be shown in the list, so that you could grant them appropriate rights.

Click OK to submit your changes or click Cancel to discard all changes and return to the previous page.

Managing MIME Types

To set up MIME types for the current web directory, go to the MIME Types tab. The following screen will appear:

Multipurpose Internet Mail Exchange (MIME) types instruct a Web browser or mail application how to handle files received from a server. For example, when a Web browser requests an item on a server, it also requests the MIME type of the object. Some MIME types, like graphics, can be displayed inside the browser. Others, such as word processing documents, require an external helper application to be displayed.

When a web server delivers a Web page to a client Web browser, it also sends the MIME type of the data it is sending. If there is an attached or embedded file in a specific format, IIS also tells the client application the MIME type of the embedded or attached file. The client application then knows how to process or display the data being received from IIS.

IIS can only operate files of registered MIME types. These types could be defined both on the global IIS level and on the domain or virtual directory level. Note that globally defined MIME types are inherited by all the domains and virtual directories while ones defined on the domain or virtual directory level are used only for the area where they are defined. Otherwise, if the web server receives request for a file with unregistered MIME type, it returns the 404.3 (Not Found) error.

To add a new MIME type, click on the corresponding icon. To edit an existing type, click on its name in the list at the bottom of page. The following screen will appear:

In the Extension box, type the file name extension beginning with a dot (.), or use a wildcard (*) to serve all files regardless of file name extension.

Specify the file content type in the Content box. You can either select the appropriate value from the list or define a new content type. To do this, select Custom… and enter the content type in the input box provided.

Click OK to submit your choice.

Managing Custom Error Documents

Plesk allows managing error documents sent to clients in cases of web server errors. The error codes are standardized in the HTTP protocol. For each error type you can either leave the default error document or replace it with the custom one.

To set up custom error documents, go to the Error Docs tab. The following screen appears:

The changes made on this screen affect only the current directory and all of its subdirectories.

All HTTP errors for which you can change the error page are listed in the Error docs list. To view the current settings for an error or change them, click on the error’s name or number. The Edit Error Document page will open where you can change the default error document for the chosen type of error to your own one.

The Error label contains the standard error number along with its description.

The Type drop-down list contains two items: Default and File. When it is set to Default, the default IIS documents are used and the Location field below is inactive. To force server to show your page instead of the default one for the selected error type, select the File option in the Type drop-down field and type the name of the desired HTML document in the corresponding field. The error documents should lie in the errordocs directory and the Location field should only contain the name of document, e.g. 404.html.

Managing Protected URLs

Plesk allows setting protection on a URL for a web directory, which means the URL will be accessible only by users allowed to do so. You can protect both physical and virtual folders. To manage URL protection of the current directory, go to the Protection tab. The following screen will appear:

To protect the URL for the current directory, press the Protect button. Now you can start adding users which will have access to it. To do this, press the Add New User button. A new screen will open where you will have to specify new user’s name and password. When the user tries to access the protected URL via browser, a window opens where user should enter his/her name and password.

Click the Preferences button to set up the current protected URL’s settings.

The list at the bottom of page shows all users which have permission to access the URL. You can click on user’s name to change its password.

If you want to disable URL protection for the current directory, press the Remove protection button.