You could look at the AcceptPathInfo directive in the meantime as well. On Tue, Nov 14, 2023 at 4:04 PM Frank Gingras <thu...@apache.org> wrote:
> The URI path part of pathinfo is not "ignored", nor "considered" by the > web server. It is simply passed to the php application. If your application > chooses to include it in the response, then the application must be > corrected. > > On Tue, Nov 14, 2023 at 3:57 PM Murray Collingwood < > mur...@focus-computing.com.au> wrote: > >> Hi Frank >> >> Yes, and I can do this, but I'm really surprised that this extra content >> is even being reflected back to the web user. My assumption was if I >> ignore anything beyond my "appwaz.php" it will be ignored by the web >> server.... so why is this text being reflected back as part of the >> response??? Is it something I'm doing in my php script? (I don't think so). >> >> Cheers >> Murray >> >> >> >> On Wed, 15 Nov 2023 at 09:47, Frank Gingras <thu...@apache.org> wrote: >> >>> Since you're using appwaz.php to serve your content and parsing the >>> pathinfo, it falls back on your php application to discard values that are >>> malicious or incorrect. >>> >>> On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood < >>> mur...@focus-computing.com.au> wrote: >>> >>>> Good question @Frank, and yes it is. >>>> >>>> Cheers >>>> Murray >>>> >>>> >>>> >>>> On Wed, 15 Nov 2023 at 07:36, Frank Gingras <thu...@apache.org> wrote: >>>> >>>>> To be clear, is sobs.com.au your domain name? >>>>> >>>>> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood < >>>>> mur...@focus-computing.com.au> wrote: >>>>> >>>>>> Hi folks >>>>>> >>>>>> First time poster. I recently became aware that hackers were able to >>>>>> include scripts in my URLs that would run (when reflected back to the >>>>>> client web browser). >>>>>> >>>>>> Is there a simple configuration in Apache that allows me to apply >>>>>> strict rules to the URLs that would stop this happening? >>>>>> >>>>>> Alternatively, is there something I have opened / allowed that >>>>>> enables this? >>>>>> >>>>>> For example: >>>>>> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj >>>>>> >>>>>> >>>>>> Hope you can help. >>>>>> >>>>>> Cheers >>>>>> Murray >>>>>> >>>>>> >>>>>> -- >>>>>> Murray Collingwood >>>>>> Focus Computing >>>>>> >>>>>> Australia ph 07 3175 0575 >>>>>> New Zealand ph 03 928 1699 >>>>>> >>>>>> http://www.focus-computing.com.au >>>>>> >>>>>> >>>> >>>> -- >>>> Murray Collingwood >>>> Focus Computing >>>> >>>> Australia ph 07 3175 0575 >>>> New Zealand ph 03 928 1699 >>>> >>>> http://www.focus-computing.com.au >>>> >>> >> >> -- >> Murray Collingwood >> Focus Computing >> >> Australia ph 07 3175 0575 >> New Zealand ph 03 928 1699 >> >> http://www.focus-computing.com.au >> >
