[users@httpd] Tightening security on my webserver
Hi folks First time poster. I recently became aware that hackers were able to include scripts in my URLs that would run (when reflected back to the client web browser). Is there a simple configuration in Apache that allows me to apply strict rules to the URLs that would stop this happening? Alternatively, is there something I have opened / allowed that enables this? For example: https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj Hope you can help. Cheers Murray -- Murray Collingwood Focus Computing Australia ph 07 3175 0575 New Zealand ph 03 928 1699 http://www.focus-computing.com.au
Re: [users@httpd] Tightening security on my webserver
Good question @Frank, and yes it is. Cheers Murray On Wed, 15 Nov 2023 at 07:36, Frank Gingras wrote: > To be clear, is sobs.com.au your domain name? > > On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood < > mur...@focus-computing.com.au> wrote: > >> Hi folks >> >> First time poster. I recently became aware that hackers were able to >> include scripts in my URLs that would run (when reflected back to the >> client web browser). >> >> Is there a simple configuration in Apache that allows me to apply strict >> rules to the URLs that would stop this happening? >> >> Alternatively, is there something I have opened / allowed that enables >> this? >> >> For example: >> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj >> >> >> Hope you can help. >> >> Cheers >> Murray >> >> >> -- >> Murray Collingwood >> Focus Computing >> >> Australia ph 07 3175 0575 >> New Zealand ph 03 928 1699 >> >> http://www.focus-computing.com.au >> >> -- Murray Collingwood Focus Computing Australia ph 07 3175 0575 New Zealand ph 03 928 1699 http://www.focus-computing.com.au
Re: [users@httpd] Tightening security on my webserver
Hi Frank Yes, and I can do this, but I'm really surprised that this extra content is even being reflected back to the web user. My assumption was if I ignore anything beyond my "appwaz.php" it will be ignored by the web server so why is this text being reflected back as part of the response??? Is it something I'm doing in my php script? (I don't think so). Cheers Murray On Wed, 15 Nov 2023 at 09:47, Frank Gingras wrote: > Since you're using appwaz.php to serve your content and parsing the > pathinfo, it falls back on your php application to discard values that are > malicious or incorrect. > > On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood < > mur...@focus-computing.com.au> wrote: > >> Good question @Frank, and yes it is. >> >> Cheers >> Murray >> >> >> >> On Wed, 15 Nov 2023 at 07:36, Frank Gingras wrote: >> >>> To be clear, is sobs.com.au your domain name? >>> >>> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood < >>> mur...@focus-computing.com.au> wrote: >>> >>>> Hi folks >>>> >>>> First time poster. I recently became aware that hackers were able to >>>> include scripts in my URLs that would run (when reflected back to the >>>> client web browser). >>>> >>>> Is there a simple configuration in Apache that allows me to apply >>>> strict rules to the URLs that would stop this happening? >>>> >>>> Alternatively, is there something I have opened / allowed that enables >>>> this? >>>> >>>> For example: >>>> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj >>>> >>>> >>>> Hope you can help. >>>> >>>> Cheers >>>> Murray >>>> >>>> >>>> -- >>>> Murray Collingwood >>>> Focus Computing >>>> >>>> Australia ph 07 3175 0575 >>>> New Zealand ph 03 928 1699 >>>> >>>> http://www.focus-computing.com.au >>>> >>>> >> >> -- >> Murray Collingwood >> Focus Computing >> >> Australia ph 07 3175 0575 >> New Zealand ph 03 928 1699 >> >> http://www.focus-computing.com.au >> > -- Murray Collingwood Focus Computing Australia ph 07 3175 0575 New Zealand ph 03 928 1699 http://www.focus-computing.com.au
Re: [users@httpd] Tightening security on my webserver
Hi Frank I should mention that a hacker found this vulnerability and sent me the URL. I'm reasonably confident this isn't coming from my PHP application. The text from the path_info is turning up in the , here's a screenshot [image: image.png] But my PHP code generates this code like this: Hmmm, that looks suspiciously like the $filename causing the problemwhere does that come from? $filename = pathinfo($_SERVER['PHP_SELF'], PATHINFO_FILENAME); PHP_SELF is including the script and also the path_info - darn! Changed to SCRIPT_NAME which is just the script name. $filename = pathinfo($_SERVER['SCRIPT_NAME'], PATHINFO_FILENAME); Sorry - this is clearly my problem... but thank you Frank for the pointer in the right direction. Cheers Murray On Wed, 15 Nov 2023 at 10:04, Frank Gingras wrote: > The URI path part of pathinfo is not "ignored", nor "considered" by the > web server. It is simply passed to the php application. If your application > chooses to include it in the response, then the application must be > corrected. > > On Tue, Nov 14, 2023 at 3:57 PM Murray Collingwood < > mur...@focus-computing.com.au> wrote: > >> Hi Frank >> >> Yes, and I can do this, but I'm really surprised that this extra content >> is even being reflected back to the web user. My assumption was if I >> ignore anything beyond my "appwaz.php" it will be ignored by the web >> server so why is this text being reflected back as part of the >> response??? Is it something I'm doing in my php script? (I don't think so). >> >> Cheers >> Murray >> >> >> >> On Wed, 15 Nov 2023 at 09:47, Frank Gingras wrote: >> >>> Since you're using appwaz.php to serve your content and parsing the >>> pathinfo, it falls back on your php application to discard values that are >>> malicious or incorrect. >>> >>> On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood < >>> mur...@focus-computing.com.au> wrote: >>> >>>> Good question @Frank, and yes it is. >>>> >>>> Cheers >>>> Murray >>>> >>>> >>>> >>>> On Wed, 15 Nov 2023 at 07:36, Frank Gingras wrote: >>>> >>>>> To be clear, is sobs.com.au your domain name? >>>>> >>>>> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood < >>>>> mur...@focus-computing.com.au> wrote: >>>>> >>>>>> Hi folks >>>>>> >>>>>> First time poster. I recently became aware that hackers were able to >>>>>> include scripts in my URLs that would run (when reflected back to the >>>>>> client web browser). >>>>>> >>>>>> Is there a simple configuration in Apache that allows me to apply >>>>>> strict rules to the URLs that would stop this happening? >>>>>> >>>>>> Alternatively, is there something I have opened / allowed that >>>>>> enables this? >>>>>> >>>>>> For example: >>>>>> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj >>>>>> >>>>>> >>>>>> Hope you can help. >>>>>> >>>>>> Cheers >>>>>> Murray >>>>>> >>>>>> >>>>>> -- >>>>>> Murray Collingwood >>>>>> Focus Computing >>>>>> >>>>>> Australia ph 07 3175 0575 >>>>>> New Zealand ph 03 928 1699 >>>>>> >>>>>> http://www.focus-computing.com.au >>>>>> >>>>>> >>>> >>>> -- >>>> Murray Collingwood >>>> Focus Computing >>>> >>>> Australia ph 07 3175 0575 >>>> New Zealand ph 03 928 1699 >>>> >>>> http://www.focus-computing.com.au >>>> >>> >> >> -- >> Murray Collingwood >> Focus Computing >> >> Australia ph 07 3175 0575 >> New Zealand ph 03 928 1699 >> >> http://www.focus-computing.com.au >> > -- Murray Collingwood Focus Computing Australia ph 07 3175 0575 New Zealand ph 03 928 1699 http://www.focus-computing.com.au
