Re: Tightening security on my webserver (Apache Users)

Hi Frank

I should mention that a hacker found this vulnerability and sent me the URL.

I'm reasonably confident this isn't coming from my PHP application.

The text from the path_info is turning up in the <body>, here's a screenshot

But my PHP code generates this <body> code like this:

    <body class="page-<?= $filename ?> <?= $hasHeader ? 'has-header' : '' ?> <?= $hasSideMenu ? 'has-side-menu' : '' ?>">

Hmmm, that looks suspiciously like the $filename causing the problem....where does that come from?

$filename = pathinfo($_SERVER['PHP_SELF'], PATHINFO_FILENAME);

PHP_SELF is including the script and also the path_info - darn!

Changed to SCRIPT_NAME which is just the script name.

$filename = pathinfo($_SERVER['SCRIPT_NAME'], PATHINFO_FILENAME);

Sorry - this is clearly my problem... but thank you Frank for the pointer in the right direction.

Cheers

Murray

On Wed, 15 Nov 2023 at 10:04, Frank Gingras <thumbs@xxxxxxxxxx> wrote:

The URI path part of pathinfo is not "ignored", nor "considered" by the web server. It is simply passed to the php application. If your application chooses to include it in the response, then the application must be corrected.

On Tue, Nov 14, 2023 at 3:57 PM Murray Collingwood <murray@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi Frank

Yes, and I can do this, but I'm really surprised that this extra content is even being reflected back to the web user. My assumption was if I ignore anything beyond my "appwaz.php" it will be ignored by the web server.... so why is this text being reflected back as part of the response??? Is it something I'm doing in my php script? (I don't think so).

Cheers
Murray

On Wed, 15 Nov 2023 at 09:47, Frank Gingras <thumbs@xxxxxxxxxx> wrote:
Since you're using appwaz.php to serve your content and parsing the pathinfo, it falls back on your php application to discard values that are malicious or incorrect.

On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood <murray@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Good question @Frank, and yes it is.

Cheers
Murray

On Wed, 15 Nov 2023 at 07:36, Frank Gingras <thumbs@xxxxxxxxxx> wrote:
To be clear, is sobs.com.au your domain name?

On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood <murray@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi folks

First time poster. I recently became aware that hackers were able to include scripts in my URLs that would run (when reflected back to the client web browser).

Is there a simple configuration in Apache that allows me to apply strict rules to the URLs that would stop this happening?

Alternatively, is there something I have opened / allowed that enables this?

For example: https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj

Hope you can help.

Cheers
Murray

--
Murray Collingwood
Focus Computing

Australia ph 07 3175 0575
New Zealand ph 03 928 1699

http://www.focus-computing.com.au

--
Murray Collingwood
Focus Computing

Australia ph 07 3175 0575
New Zealand ph 03 928 1699

http://www.focus-computing.com.au

--
Murray Collingwood
Focus Computing

Australia ph 07 3175 0575
New Zealand ph 03 928 1699

http://www.focus-computing.com.au