From: Skip Evans > ---------------------- > The reason why this issue is being flagged is simply that both > links should bring you to the same page but if look at the > HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it > returns a 403 forbidden even though it still takes you to the > main site page, with the other URL > (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200 > OK when it is the same page as the URL that is returning a > 403. You will need to make sure that the pages are responding > in the same way to correct this issue. > --------------------- My first reaction is that there is a problem with the way your server is parsing the URLs. Because it responded differently to the encoded question mark than it did with the actual question mark, there may be a bug in that parser. Now whether that bug is exploitable is another matter and is not even questioned here. But its very existence is of concern when you are working with PCI. One other note I would make here. We believe that the PCI requirements were devised to protect the credit card companies from liability. They do very little to protect you or your employer. We treat them as only the minimum requirements for any site or product, whether it has to go through their certification process or not. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
