Hey all,
Some may remember my question awhile back about ensuring all
CC forms are behind https. I've always put them so, but I've
taken over maintenance on a site that did not and have since
corrected the problem.
Now the client is going for PCI compliance as a requirement by
their credit card processor and we have been dealing with
issues determined risks by Security Metrics, most which were
legit (except one thinking IIS was running on a Linux
server!), but this one has me scratching my head.
The original programmer created the following in the system's
.htaccess file:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php
...which sends any incorrect URL to the home page, correct?
But Security Metrics, as part of their test ran two URLs
through the system that while both displaying the home page
had different things in the header, which they flagged as an
issue. Here is there explanation below, but my question is,
why is this considered a security risk, and what suggestions
might some of you have to correct it?
Thanks much!
Skip
----------------------
The reason why this issue is being flagged is simply that both
links should bring you to the same page but if look at the
HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it
returns a 403 forbidden even though it still takes you to the
main site page, with the other URL
(http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200
OK when it is the same page as the URL that is returning a
403. You will need to make sure that the pages are responding
in the same way to correct this issue.
---------------------
--
====================================
Skip Evans
Big Sky Penguin, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://bigskypenguin.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
