Hi Frank
I should mention that a hacker found this vulnerability and sent me the URL.
I'm reasonably confident this isn't coming from my PHP application.
The text from the path_info is turning up in the <body>, here's a screenshot
[image: image.png]
But my PHP code generates this <body> code like this:
<body class="page-<?= $filename ?> <?= $hasHeader ? 'has-header' : '' ?> <?=
$hasSideMenu ? 'has-side-menu' : '' ?>">
Hmmm, that looks suspiciously like the $filename causing the
problem....where does that come from?
$filename = pathinfo($_SERVER['PHP_SELF'], PATHINFO_FILENAME);
PHP_SELF is including the script and also the path_info - darn!
Changed to SCRIPT_NAME which is just the script name.
$filename = pathinfo($_SERVER['SCRIPT_NAME'], PATHINFO_FILENAME);
Sorry - this is clearly my problem... but thank you Frank for the pointer
in the right direction.
Cheers
Murray
On Wed, 15 Nov 2023 at 10:04, Frank Gingras <thumbs@apache.org> wrote:
> The URI path part of pathinfo is not "ignored", nor "considered" by the
> web server. It is simply passed to the php application. If your application
> chooses to include it in the response, then the application must be
> corrected.
>
> On Tue, Nov 14, 2023 at 3:57?PM Murray Collingwood <
> murray@focus-computing.com.au> wrote:
>
>> Hi Frank
>>
>> Yes, and I can do this, but I'm really surprised that this extra content
>> is even being reflected back to the web user. My assumption was if I
>> ignore anything beyond my "appwaz.php" it will be ignored by the web
>> server.... so why is this text being reflected back as part of the
>> response??? Is it something I'm doing in my php script? (I don't think so).
>>
>> Cheers
>> Murray
>>
>>
>>
>> On Wed, 15 Nov 2023 at 09:47, Frank Gingras <thumbs@apache.org> wrote:
>>
>>> Since you're using appwaz.php to serve your content and parsing the
>>> pathinfo, it falls back on your php application to discard values that are
>>> malicious or incorrect.
>>>
>>> On Tue, Nov 14, 2023 at 3:37?PM Murray Collingwood <
>>> murray@focus-computing.com.au> wrote:
>>>
>>>> Good question @Frank, and yes it is.
>>>>
>>>> Cheers
>>>> Murray
>>>>
>>>>
>>>>
>>>> On Wed, 15 Nov 2023 at 07:36, Frank Gingras <thumbs@apache.org> wrote:
>>>>
>>>>> To be clear, is sobs.com.au your domain name?
>>>>>
>>>>> On Tue, Nov 14, 2023 at 1:26?PM Murray Collingwood <
>>>>> murray@focus-computing.com.au> wrote:
>>>>>
>>>>>> Hi folks
>>>>>>
>>>>>> First time poster. I recently became aware that hackers were able to
>>>>>> include scripts in my URLs that would run (when reflected back to the
>>>>>> client web browser).
>>>>>>
>>>>>> Is there a simple configuration in Apache that allows me to apply
>>>>>> strict rules to the URLs that would stop this happening?
>>>>>>
>>>>>> Alternatively, is there something I have opened / allowed that
>>>>>> enables this?
>>>>>>
>>>>>> For example:
>>>>>> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj
>>>>>>
>>>>>>
>>>>>> Hope you can help.
>>>>>>
>>>>>> Cheers
>>>>>> Murray
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Murray Collingwood
>>>>>> Focus Computing
>>>>>>
>>>>>> Australia ph 07 3175 0575
>>>>>> New Zealand ph 03 928 1699
>>>>>>
>>>>>> http://www.focus-computing.com.au
>>>>>>
>>>>>>
>>>>
>>>> --
>>>> Murray Collingwood
>>>> Focus Computing
>>>>
>>>> Australia ph 07 3175 0575
>>>> New Zealand ph 03 928 1699
>>>>
>>>> http://www.focus-computing.com.au
>>>>
>>>
>>
>> --
>> Murray Collingwood
>> Focus Computing
>>
>> Australia ph 07 3175 0575
>> New Zealand ph 03 928 1699
>>
>> http://www.focus-computing.com.au
>>
>
--
Murray Collingwood
Focus Computing
Australia ph 07 3175 0575
New Zealand ph 03 928 1699
http://www.focus-computing.com.au
