可以重写 HttpContext.Current.Request.Url.AbsoluteUri 吗?
我们有一个系统,可以将我们网站上发生的事件记录在表格中。
中找到的页面属性的引用
它当前记录所有事件,并描述正在发生的情况,以及在HttpContext.Current.Request.Url.AbsoluteUri
我刚刚从服务器发现了 HttpContext.Current.Request.Url.AbsoluteUri我们不拥有“http://ya.ru/Default.aspx”,
这个表中还记录的是线程ID(Threading.Thread.CurrentThread.ManagedThreadId)(记录为线程1)和一个sessionID(HttpContext.Current) .Session.SessionID)。
这个未经请求的服务器如何在我们的网站上运行东西,这是否意味着他们可以访问我们的代码,或者您可以合法地覆盖 HttpContext.Current.Request.Url.AbsoluteUri 吗?如果没有,是否可以删除 HttpContext.Current?
除了运行一些数据库查询之外,它们似乎还运行一些用户控件!?
它似乎是一个俄罗斯搜索引擎,但我不确定它们如何以某种方式覆盖我们的页面参数。
以下是为日志记录例程设置 PAGE 参数的代码:
Dim threadID As Integer
If Not HttpContext.Current Is Nothing Then
Page = HttpContext.Current.Request.Url.AbsoluteUri ' & "/" & HttpContext.Current.Request.RawUrl '& HttpContext.Current.Request.Path
Integer.TryParse(Threading.Thread.CurrentThread.ManagedThreadId, threadID)
If Not HttpContext.Current.Session Is Nothing Then
Try
Session = HttpContext.Current.Session.SessionID
Catch
Session = "empty"
End Try
End If
Else
Page = MyPageName
End If
有什么想法吗?
We have a system that logs events that occur on our website in a table.
It currently records all the events with a description of what is going on, and a reference of the page's property found in
HttpContext.Current.Request.Url.AbsoluteUri
I have just spotted an HttpContext.Current.Request.Url.AbsoluteUri from a server we do not own "http://ya.ru/Default.aspx"
Also recorded in this table is the Thread ID (Threading.Thread.CurrentThread.ManagedThreadId) (which is recorded as thread 1) and a sessionID (HttpContext.Current.Session.SessionID).
How can this unsolicited server be running stuff on our site, does it mean they have access to our code, or can you legitimately override HttpContext.Current.Request.Url.AbsoluteUri? If not is it possible to drop HttpContext.Current?
Apart from running a few database queries, they also seem to be running some usercontrols!?
It seems to be a russian search engine, but i'm not sure how they are somehow overwriting our Page Parameter.
Here is the code that set's the PAGE parameter for the logging routine:
Dim threadID As Integer
If Not HttpContext.Current Is Nothing Then
Page = HttpContext.Current.Request.Url.AbsoluteUri ' & "/" & HttpContext.Current.Request.RawUrl '& HttpContext.Current.Request.Path
Integer.TryParse(Threading.Thread.CurrentThread.ManagedThreadId, threadID)
If Not HttpContext.Current.Session Is Nothing Then
Try
Session = HttpContext.Current.Session.SessionID
Catch
Session = "empty"
End Try
End If
Else
Page = MyPageName
End If
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的服务器设置是否可以处理传递给它的任何主机标头?转到命令行并运行此命令,将
123.123.123.123更改为服务器的 IP,将/Page.aspx更改为您尝试访问的任何页面,但将域名保留为是。检查您的日志,如果您看到
www.example.com,则 IIS 设置了一个“默认站点”,用于处理指向它的任何请求。Is your server setup to handle any host header passed to it? Drop to a command line and run this, changing
123.123.123.123to your server's IP and/Page.aspxto whatever page you're trying to hit but leave the domain as is.Check your logs and if you see
www.example.comthen IIS is setup with a 'default site' that handles any requests directed to it.