Hi Frank
I should mention that a hacker found this vulnerability and sent me the URL.
I'm reasonably confident this isn't coming from my PHP application.
The text from the path_info is turning up in the , here's a screenshot
[image: image.png]
But my PHP code generates this code like this:
You could look at the AcceptPathInfo directive in the meantime as well.
On Tue, Nov 14, 2023 at 4:04 PM Frank Gingras wrote:
> The URI path part of pathinfo is not "ignored", nor "considered" by the
> web server. It is simply passed to the php application. If your application
> chooses to
The URI path part of pathinfo is not "ignored", nor "considered" by the web
server. It is simply passed to the php application. If your application
chooses to include it in the response, then the application must be
corrected.
On Tue, Nov 14, 2023 at 3:57 PM Murray Collingwood <
Hi Frank
Yes, and I can do this, but I'm really surprised that this extra content is
even being reflected back to the web user. My assumption was if I ignore
anything beyond my "appwaz.php" it will be ignored by the web server so
why is this text being reflected back as part of the
Since you're using appwaz.php to serve your content and parsing the
pathinfo, it falls back on your php application to discard values that are
malicious or incorrect.
On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood <
mur...@focus-computing.com.au> wrote:
> Good question @Frank, and yes it is.
Good question @Frank, and yes it is.
Cheers
Murray
On Wed, 15 Nov 2023 at 07:36, Frank Gingras wrote:
> To be clear, is sobs.com.au your domain name?
>
> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood <
> mur...@focus-computing.com.au> wrote:
>
>> Hi folks
>>
>> First time poster. I
To be clear, is sobs.com.au your domain name?
On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood <
mur...@focus-computing.com.au> wrote:
> Hi folks
>
> First time poster. I recently became aware that hackers were able to
> include scripts in my URLs that would run (when reflected back to the
>
Hi folks
First time poster. I recently became aware that hackers were able to
include scripts in my URLs that would run (when reflected back to the
client web browser).
Is there a simple configuration in Apache that allows me to apply strict
rules to the URLs that would stop this happening?