Hi Frank
I should mention that a hacker found this vulnerability and sent me the URL.
I'm reasonably confident this isn't coming from my PHP application.
The text from the path_info is turning up in the , here's a screenshot
[image: image.png]
But my PHP code generates this code like this:
You could look at the AcceptPathInfo directive in the meantime as well.
On Tue, Nov 14, 2023 at 4:04 PM Frank Gingras wrote:
> The URI path part of pathinfo is not "ignored", nor "considered" by the
> web server. It is simply passed to the php application. If your application
> chooses to
The URI path part of pathinfo is not "ignored", nor "considered" by the web
server. It is simply passed to the php application. If your application
chooses to include it in the response, then the application must be
corrected.
On Tue, Nov 14, 2023 at 3:57 PM Murray Collingwood <
Hi Frank
Yes, and I can do this, but I'm really surprised that this extra content is
even being reflected back to the web user. My assumption was if I ignore
anything beyond my "appwaz.php" it will be ignored by the web server so
why is this text being reflected back as part of the
Since you're using appwaz.php to serve your content and parsing the
pathinfo, it falls back on your php application to discard values that are
malicious or incorrect.
On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood <
mur...@focus-computing.com.au> wrote:
> Good question @Frank, and yes it is.
Good question @Frank, and yes it is.
Cheers
Murray
On Wed, 15 Nov 2023 at 07:36, Frank Gingras wrote:
> To be clear, is sobs.com.au your domain name?
>
> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood <
> mur...@focus-computing.com.au> wrote:
>
>> Hi folks
>>
>> First time poster. I
On Tue, Nov 14, 2023 at 3:11 PM Luigi Bellio wrote:
>
> Hi Rainer,
>
> I tried also in this way but the "Set-Cookie" response header is present.
>
> I did further tests ... the response header is set also when returning
> static resources, for example
>
> Set-Cookie:
>
Hi Rainer,
I tried also in this way but the "Set-Cookie" response header is
present.
I did further tests ... the response header is set also when
returning static resources, for example
Set-Cookie:
7133ee39c88e27dfb06de1e1feafdacd=64ca85231009a6bb674397ffaccb3d14;
path=/;
To be clear, is sobs.com.au your domain name?
On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood <
mur...@focus-computing.com.au> wrote:
> Hi folks
>
> First time poster. I recently became aware that hackers were able to
> include scripts in my URLs that would run (when reflected back to the
>
Hi folks
First time poster. I recently became aware that hackers were able to
include scripts in my URLs that would run (when reflected back to the
client web browser).
Is there a simple configuration in Apache that allows me to apply strict
rules to the URLs that would stop this happening?
On Tue, Nov 14, 2023 at 3:24 PM Luigi Bellio wrote:
>
> Hi Eric,
>
> thanks for your feedback ... I just tried, nothing is changed ...
> moreover as documented the "always" directive should apply to all
> response codes not only "on success".
You're missing one important issue the
On 2023-11-13 22:17, Chris me wrote:
I rechecked the response headers, interesting thing is the server that
works is just sending content-type: text/thml
but the one that does not work is sending content-type: text/html and
charset=UTF-8
even though it is sending the charset after I
Hi Eric,
thanks for your feedback ... I just tried, nothing is changed ...
moreover as documented the "always" directive should apply to all
response codes not only "on success".
Thanks for any support,
Luigi.
On 2023/11/14 13:22:06 Eric Covener wrote:
> > Header
> Header always unset Set-Cookie
Try without "always"
On Tue, Nov 14, 2023 at 6:25 AM Luigi Bellio wrote:
>
> Hi all,
>
> we are using version 2.4.57 of Apache HTTPd with this configuration
>
>
> ServerName :1080
> CustomLog combined
> ErrorLog
>
>
Hi all,
we are using version 2.4.57 of Apache HTTPd with this configuration
ServerName :1080
CustomLog combined
ErrorLog
DocumentRoot "/usr/local/apache2/conf/extra"
Require all granted
15 matches
Mail list logo