HI,
I know this is OT and I apologize in advance, but with the wealth of knowledge on this list I hope that some kind soul will help (off list is fine).
I run CentOS 5.6 with the usual LAMP stack. One of the virtual sites on this server failed a PCI Compliance (credit card security stuff) because, of all things, a URL with a non-existent request after the .php doesn't return a 404 and I can't figure out why.
Example: http://www.domain.com/pagedoesnotexist returns the expected 404
But browse to a page that does exist, like goodpage.php, then append either a slash and some random string, or a ?=somerandomstring and the goodpage.php is still displayed.
I'll gladly provide more info, if needed. Any pointers on where to look would be truly appreciated.
Thanks in advance, and my apologies for the noise.
-Ray
On 07/19/11 1:28 PM, Ray Leventhal wrote:
Example:http://www.domain.com/pagedoesnotexist returns the expected 404
But browse to a page that does exist, like goodpage.php, then append either a slash and some random string, or a ?=somerandomstring and the goodpage.php is still displayed.
I'll gladly provide more info, if needed. Any pointers on where to look would be truly appreciated.
your php page should examine the arguments and if there's anythign there unexpected, it should force the 404 via
{ header ('Location: '.$newReq); header ('HTTP/1.0 404 Page Not Found'); die; // Don't send any more output. }
or whatever...
On Tue, 19 Jul 2011, John R Pierce wrote:
To: centos@centos.org From: John R Pierce pierce@hogranch.com Subject: Re: [CentOS] [OT] Apache oddity - appending garbage request does not result in a 404
On 07/19/11 1:28 PM, Ray Leventhal wrote:
Example:http://www.domain.com/pagedoesnotexist returns the expected 404
But browse to a page that does exist, like goodpage.php, then append either a slash and some random string, or a ?=somerandomstring and the goodpage.php is still displayed.
I'll gladly provide more info, if needed. Any pointers on where to look would be truly appreciated.
your php page should examine the arguments and if there's anythign there unexpected, it should force the 404 via
{ header ('Location: '.$newReq); header ('HTTP/1.0 404 Page Not Found'); die; // Don't send any more output. }or whatever...
If you don't need or want to pass any variables to your PHP scripts, you could use something like this PHP function:
function url_check() {
if ('' <> _SERVER["QUERY_STRING"] OR '#top' <> _SERVER["QUERY_STRING"]) { echo "<p> Passing of variables by URL query string is not supported! </p>"; echo "<p> Program terminating now - Please try again </p>"; echo "<p> Found in URL -> _SERVER['QUERY_STRING'] </p>"; exit(); }
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 7/19/2011 4:47 PM, John R Pierce wrote:
On 07/19/11 1:28 PM, Ray Leventhal wrote:
Example:http://www.domain.com/pagedoesnotexist returns the expected 404
But browse to a page that does exist, like goodpage.php, then append either a slash and some random string, or a ?=somerandomstring and the goodpage.php is still displayed.
I'll gladly provide more info, if needed. Any pointers on where to look would be truly appreciated.
your php page should examine the arguments and if there's anythign there unexpected, it should force the 404 via
{ header ('Location: '.$newReq); header ('HTTP/1.0 404 Page Not Found'); die; // Don't send any more output. }or whatever...
Much obliged. I figured I could cure it with php, but was wondering if apache was somehow mis-configured.
Thanks for the help! -Ray
-
John R Pierce -
Keith Roberts -
Ray Leventhal