tags:

views:

81

answers:

2
+1  Q: 

PHP, MySQL: Security concern; Page loads in a weird way

Hi all,

I am testing the security of my website. I am using the following URL to load a PHP page in my website, on localhost:

http://localhost/domain/user/index.php/apple.php

When I do this, the page is not loading normally; Instead the images, icons used in the page simply vanish/disappear from the page. Only text appears. And also on any link I click on this page, it brings me to this same page again without navigating to the required page. So if I have hyperlinks to other pages, such as "SEARCH", which points to search.php, instead of navigating to the search.php page, it refreshes the index.php page and just appends the page name of the destination page to the end of the URL.

For example, say I used the link above. It then loads the index.php page minus the images at it's will. When I click on the "Search" link to navigate to the search page, I see the following in the URL:

http://localhost/domain/user/index.php/search.php

I have a redirection configured to a 404 error page in my .htaccess file, but the page does not redirect to the 404 error page. Notice the search.php towards the end of the URL above. Any other link that I click, reloads the index.php page and just appends the destination page name to the end of the URL like I have shown above.

I was expecting to see a 404 Error but that does not happen. The URL should not even be able to load the page because I do NOT have a "index.php" folder in my website.

What can I do to solve this? All help is appreciated.

Update:

The security concern is that users being able to see a non-existing page (which is quite misleading) like http://localhost/domain/user/index.php/apple.php especially when it does not exists. This makes me feel that this is going to open doors for hackers to exploit the website and compromise its integrity. Can this happen in such a case? I want users to see a 404 error page and any I am willing to any change needed in .htaccess file to accommodate this.

Can you suggest me of some code that I can add to my .htaccess file to accomplish this?

Thank you.

EDIT1:

Here are the contents of my .htaccess files. I have 2 of them. One in domain root and the other in 'user' folder/directory.

/*.htaccess in domain root*/
ErrorDocument 404 /domain/404.php

/*.htaccess in user folder*/
ErrorDocument 404 /domain/user/404.php

EDIT2:

@Pekka Thanks for the link. I added the following code in the .htaccess file (within the user directory)

<Files "mypaths.php">
Options +Includes
SetOutputFilter INCLUDES
AcceptPathInfo Off
</Files>

But still this does not show me the 404 page. Sorry, I am very novice with the .htaccess. Hope you will be able to tell me what I am wrong. Thanks.

+2  A: 

The behaviour of why this loads a page:

http://localhost/domain/user/index.php/apple.php

is easily explained. The request is passed to index.php, with apple.php being in the $_SERVER["PATH_INFO"] variable.

So you are in the /user directory as far as the server and the PHP script are concerned.

This is also why no 404 turns up: index.php is always found, no matter which file you specify as the last file.

The browser, however, interprets index.php not as a file, but as the parent directory of apple.php.

Therefore, every relative link you put on the page, say to contact.php is fetched like this:

 http://localhost/domain/user/index.php/contact.php

which obviously won't work.

What you may want to do is use absolute paths in images and links, but either way, this is of no concern to security whatsoever.

As a side note, this whole phenomenon is sometimes used to create search engine friendly URLs without having to use mod_rewrite module.

You can turn this behaviour off using the AcceptPathInfo directive.

Pekka  2010-05-31 13:10:41
Thank you for the reply, Pekka. I understand the images part and I believe that's fairly easy to take care of. What really concerns me is that I want the user to see a 404 page when they try to access a non-existing page via http://localhost/domain/user/index.php/apple.php because apple.php does not exist. How can I modify my .htaccess to accommodate this change?
Devner  2010-05-31 13:27:46
@Devner you can use the `$_SERVER["PATH_INFO"]` variable to check whether your index.php has been called the way you describe.
Pekka  2010-05-31 14:08:13
@Pekka I have edit my post and added information about the .htaccess. Kindly check and post your comment as to how I can show a 404 error so that its more appropriate and not misleading (the way it is right now). Thanks.
Devner  2010-05-31 15:47:52
@Devner the 404 is fine, the "problem" is that a file is being called that *does* exist. You would have to test `$_SERVER["PATH_INFO"]` to see whether there are any "appendixes" to the URL, and throw a 404 manually `header("HTTP/1.1 404 Not Found");` or simply `die()`. However, I don't see why you are going through all this trouble in the first place. Why would somebody call your page this way at all?
Pekka  2010-05-31 15:53:00
@Pekka Actually I was working on form submission issue and in preventing form submission spoofing. A general user would not do that. I fear anyone (malicious user) who wants to exploit my website by using the links that I have given as example, may try to do so. Does that make sense? So is testing $_SERVER["PATH_INFO"], the only solution? Can I just not do something in .htaccess?
Devner  2010-05-31 16:10:05
Also I just tried out appending such similar false extensions to URLS of some websites out there and so far they all reported a "Sorry not found" page. So that means everyone else seems to have atleast provided a graceful degradation method. I would like to do that as well, please.
Devner  2010-05-31 16:16:32
@Devner http://httpd.apache.org/docs/2.0/mod/core.html (`AcceptPathInfo`) As I said, I can't see a security issue here but if you feel better turning it off, do it. Should work fine.
Pekka  2010-05-31 16:30:29
@Pekka, I think we are almost there. I am just hung up on the last part. I have edited my posting to include the change that I made to the .htaccess file. Can you please refer to it and comment? Thanks.
Devner  2010-05-31 17:11:19
@Devner remove the `<Files "mypaths.php">` and `</Files>`. Directives only, no sections.
Pekka  2010-05-31 17:32:08
+1 @Pekka You are AWESOME! That solves my problem. Appreciate your help a ton. Thank you very much.
Devner  2010-05-31 18:50:22
A: 

As for the images, you just have to learn to use absolute paths to your images, which is absolutely necessary

Just instead of images/head.jpg write /images/head.jpg and you will have all your images and styles in place.

As for the /user/index.php/apple.php - why do you want such an odd address?
Why not to use just user/apple.php?

And where is security in your question?

Col. Shrapnel  2010-05-31 13:11:02
Thank you for the reply, Col. The security part is that I actually do not have a dir called "index.php" page and I do not have a apple.php page in my website. So if anyone manually enters such kind of a URL within my website (when it goes live), I don't want them to be able to browse the page. Instead I want to show them the 404 page. So I am not the one who is typing: /user/index.php/apple.php. It can be some malicious user trying to hack my website. So that's the security issue I have. Does that make sense?
Devner  2010-05-31 13:25:24

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases