Re: Tightening security on my webserver (Apache Users)

Re: Tightening security on my webserver

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: users@xxxxxxxxxxxxxxxx

Subject: Re: Tightening security on my webserver

From: Frank Gingras <thumbs@xxxxxxxxxx>

Date: Tue, 14 Nov 2023 15:47:55 -0500

In-reply-to: <CANgJ9eR+N1wnrUXLaAZDdX8JUNmH6c2BOunGTC_5ApdN-eYdFA@mail.gmail.com>

Reply-to: users@xxxxxxxxxxxxxxxx

Since you're using appwaz.php to serve your content and parsing the pathinfo, it falls back on your php application to discard values that are malicious or incorrect.

On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood <murray@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Good question @Frank, and yes it is.

Cheers
Murray

On Wed, 15 Nov 2023 at 07:36, Frank Gingras <thumbs@xxxxxxxxxx> wrote:
To be clear, is sobs.com.au your domain name?

On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood <murray@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi folks

First time poster. I recently became aware that hackers were able to include scripts in my URLs that would run (when reflected back to the client web browser).

Is there a simple configuration in Apache that allows me to apply strict rules to the URLs that would stop this happening?

Alternatively, is there something I have opened / allowed that enables this?

For example: https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj

Hope you can help.

Cheers
Murray

--
Murray Collingwood
Focus Computing

Australia ph 07 3175 0575
New Zealand ph 03 928 1699

http://www.focus-computing.com.au

--
Murray Collingwood
Focus Computing

Australia ph 07 3175 0575
New Zealand ph 03 928 1699

http://www.focus-computing.com.au