Hi Frank I should mention that a hacker found this vulnerability and sent me the URL.
I'm reasonably confident this isn't coming from my PHP application. The text from the path_info is turning up in the <body>, here's a screenshot [image: image.png] But my PHP code generates this <body> code like this: <body class="page-<?= $filename ?> <?= $hasHeader ? 'has-header' : '' ?> <?= $hasSideMenu ? 'has-side-menu' : '' ?>"> Hmmm, that looks suspiciously like the $filename causing the problem....where does that come from? $filename = pathinfo($_SERVER['PHP_SELF'], PATHINFO_FILENAME); PHP_SELF is including the script and also the path_info - darn! Changed to SCRIPT_NAME which is just the script name. $filename = pathinfo($_SERVER['SCRIPT_NAME'], PATHINFO_FILENAME); Sorry - this is clearly my problem... but thank you Frank for the pointer in the right direction. Cheers Murray On Wed, 15 Nov 2023 at 10:04, Frank Gingras <thu...@apache.org> wrote: > The URI path part of pathinfo is not "ignored", nor "considered" by the > web server. It is simply passed to the php application. If your application > chooses to include it in the response, then the application must be > corrected. > > On Tue, Nov 14, 2023 at 3:57 PM Murray Collingwood < > mur...@focus-computing.com.au> wrote: > >> Hi Frank >> >> Yes, and I can do this, but I'm really surprised that this extra content >> is even being reflected back to the web user. My assumption was if I >> ignore anything beyond my "appwaz.php" it will be ignored by the web >> server.... so why is this text being reflected back as part of the >> response??? Is it something I'm doing in my php script? (I don't think so). >> >> Cheers >> Murray >> >> >> >> On Wed, 15 Nov 2023 at 09:47, Frank Gingras <thu...@apache.org> wrote: >> >>> Since you're using appwaz.php to serve your content and parsing the >>> pathinfo, it falls back on your php application to discard values that are >>> malicious or incorrect. >>> >>> On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood < >>> mur...@focus-computing.com.au> wrote: >>> >>>> Good question @Frank, and yes it is. >>>> >>>> Cheers >>>> Murray >>>> >>>> >>>> >>>> On Wed, 15 Nov 2023 at 07:36, Frank Gingras <thu...@apache.org> wrote: >>>> >>>>> To be clear, is sobs.com.au your domain name? >>>>> >>>>> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood < >>>>> mur...@focus-computing.com.au> wrote: >>>>> >>>>>> Hi folks >>>>>> >>>>>> First time poster. I recently became aware that hackers were able to >>>>>> include scripts in my URLs that would run (when reflected back to the >>>>>> client web browser). >>>>>> >>>>>> Is there a simple configuration in Apache that allows me to apply >>>>>> strict rules to the URLs that would stop this happening? >>>>>> >>>>>> Alternatively, is there something I have opened / allowed that >>>>>> enables this? >>>>>> >>>>>> For example: >>>>>> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj >>>>>> >>>>>> >>>>>> Hope you can help. >>>>>> >>>>>> Cheers >>>>>> Murray >>>>>> >>>>>> >>>>>> -- >>>>>> Murray Collingwood >>>>>> Focus Computing >>>>>> >>>>>> Australia ph 07 3175 0575 >>>>>> New Zealand ph 03 928 1699 >>>>>> >>>>>> http://www.focus-computing.com.au >>>>>> >>>>>> >>>> >>>> -- >>>> Murray Collingwood >>>> Focus Computing >>>> >>>> Australia ph 07 3175 0575 >>>> New Zealand ph 03 928 1699 >>>> >>>> http://www.focus-computing.com.au >>>> >>> >> >> -- >> Murray Collingwood >> Focus Computing >> >> Australia ph 07 3175 0575 >> New Zealand ph 03 928 1699 >> >> http://www.focus-computing.com.au >> > -- Murray Collingwood Focus Computing Australia ph 07 3175 0575 New Zealand ph 03 928 1699 http://www.focus-computing.com.au
