Rsnake is reporting that Apache Discloses information that could be used to detect cloakers:
Okay, but does that really help us? I mean, there’s no ETag at all right? Well, yes, and that’s the exact point. Because there is no ETag on in the header and there is for a confirmed normal file, you can tell that that page is dynamically created using mod_rewrite or a ScriptAlias. But now you’re asking, “What if you don’t know if it normally has the ETag at all, or more specifically what if the entire htdocs directory is dynamic?” How about trying a file that is always there and lives outside of the htdocs directory? The Apache logo that is included with the base install inside the /icons directory definitely qualifies.
4 Responses to “Rsnake on Detecting Cloaking in Apache”
Even if the ETag header is being checked, it would be very easy to avoid. Simply make sure that NOTHING from your site is served with ETags…even those icons. You know, you can always delete the icons.
I posted a related issue here ->
http://www.seoegghead.com/blog/search-engine-optimization/what-mod_rewrite-wont-do-for-you-C6/
so why can’t we use random generated/rotated etags to bring indexers to pages?
Leave a Reply
You must be logged in to post a comment.
I don’t think the ETag header can be used reliably to flag cloaked pages, because it isn’t used widely enough. My tests with some Apache 1.3.33 servers show it isn’t being used there. I’ve checked around and use is fairly spotty. It just isn’t ubiquitous enough to rely on.