this is the issue:
CakePHP is generating strange cache files in cache / view
"2f400_shtml.php"
"d_allow_url_include_3don_d_auto_prepend_file_3d_2f_2f_2f_2f_2f_2f_2f_2f_2f_2f_2f_2fetc_2fpasswd"
do not quite understand what happens, but reviewing files I saw this in the request unserialize of this file:
"query";a:1:{s:10:"/400_shtml";s:0:"";}
someone already had this problem?
This occurs in the production server but not in my local environment.
can these attempted attacks?
Thanks, your comments are appreciated.
Yes it looks like someone is messing about with your site. Looks like they are trying to access the /etc/passwd file.
Someone has hit a URL that has made Cake create the cache file. Cake will URLencode the url that has been hit and replaces special characters with underscores
So the request would have involved a lot of / characters there.
Take a look at your apache access.log file and you will be able to see clearer the kind of request people have been making:
E.g.
cat <apache_logs_dir>/access.log | grep passwd
Will show similar requests to that second one there.
I would try it yourself to make sure they didn't have any success :)
Its probably time to ensure Apache only has access to the directories that you want it to. I think you can use the <directory> tag for this:
http://httpd.apache.org/docs/2.2/mod/core.html#directory
(I am only assuming you're using Apache, if youre using IIS you may need to investigate similar functions)
Looking around google it looks like it might be someone trying to exploit this vulnerability:
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
Extract from that link:
The PHP guys are recommending the following .htaccess hack to block those attacks:
RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]
Related
I have looked around and attempted my own research on this topic but to no avail just yet.
I have a dynamic webpage set up to look for a ID from a database to retrieve elements required. This results in of course the web page looking like www.site.com/page?id=1
My desired outcome would be like a title for this page to be called.
Such as say I had a fruit product it and user went to my site and went to the address /fruit it would it would be the content of ?id=1 just as an example.
I have seen this used on many a site but not sure how this is programmed or works. Is this something to do with a htaccess document?
Thanks in advance. Appreciate all the help.
While this has been asked and answered many times, I know many people find it difficult to search for this since there are so many common "noise" words related to it. For that reason, I believe it's worth answering again.
If you're using Apache as your webserver (which I'm assuming you are since you mention .htaccess), what you're looking for to create those "clean URLs" is mod_rewrite, which takes a set of rules and rewrites the URL requested by the browser to another path or script.
You would typically enable this in your Apache config or in .htaccess, and in a simple form (a one-to-one mapping) at it would look something like this (provided mod_rewrite is installed):
RewriteEngine On
RewriteRule ^fruit$ index.php?type=1 [L]
Now obviously that doesn't scale well if you have a bunch of dynamic pages you want to create, so what you can do is tell all pages that aren't a really file or directory to be passed to a file for processing, like so:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
In this case we're rewriting any request that doesn't resolve to a real file or directory to index.php, and then using the "last" flag [L] to stop processing other rules. Then in our PHP script, we can access the virtual path (in this case /fruit) by using $_SERVER['PATH_INFO'] and doing whatever conditional logic we want with that. If you don't get anything in that variable, ensure that the AcceptPathInfo On directive is set in your Apache config or .htaccess.
A way to test the basic concept/logic without having any rewrite rules would be to use a URL like https://example.com/index.php/fruit. You'll then see that in index.php $_SERVER['PATH_INFO'] will contain the string /fruit. You can rewrite URLs to files in other directories, chain rewrite rules, redirect the browser to other URLs, or even edit environment variables.
There are many good tutorials around using mod_rewrite for clean URLs, so I won't attempt to cover all the nuances here. Just know that it's a very powerful tool, but it's also pretty easy to break your rules if you aren't very comfortable with regular expressions or get lost in the many rules that are commonly in a configuration.
Note that if this is an existing site, you'll also want to use mod_rewrite or mod_redirect to redirect the old URLs to the new ones so they don't break (and for the benefit of having a single URL for search rankings).
I have a problem with a project I'm doing with PHP and it's in the URLs.
When I load a script like index.php everything works fine, the problem is when I load a script that is located within two or more directories.
In the URL the scripts with the routes begin to be enmeshed
Here is an example of the problem I have
I need to load a script, even if it is in several levels of nesting, make its functionality and in the url is reflected as:
I need to have something like this
1:
I thank you in advance.
Regards
You can't use PHP to achieve this. PHP is not responsible for determining if PHP (let along a particular PHP script) will handle any given URL.
You have to configure your webserver to do it. Since you mention .htaccess but provide no further information about your server, I'm going to assume you are using Apache HTTPD.
For Apache, that means using mod_rewrite, Alias or something similar. You can put the configuration for those tools in .htaccess, but you don't want to and the documentation advises not to use them.
So put your mod_rewrite or Alias configuration in the main Apache configuration.
You're going to need an htaccess rule no matter what. However, it doesn't have to be a mod_rewrite rule. The reason you need this rule is because PHP is not responsible for the routing - it is merely responsible for the execution of your script.
The point of the rule is to direct apache and instruct it to execute the right script (in your case, script32.php) while keeping the request uri as intact as possible.
There are two ways around it, basically.
Way 1 (cleaner): mod_rewrite
This is pretty straightforward, the set of rules you need are as follows:
# If the requested file name is a valid file/inode
RewriteCond %{REQUEST_FILENAME} -f [OR]
# ...or a directory
RewriteCond %{REQUEST_FILENAME} -d
# ...then throw them straight on it
RewriteRule (.*) - [L]
# ...otherwise, redirect to script32.php with the full content of the request in query string
RewriteRule (.*) /welcome/script32.php?$1 [L]
The requested URL is now in $_SERVER['QUERY_STRING'] and you can now do whatever you like with it in PHP
Way 2: catchall
This does not rely on mod_rewrite and may therefore be slightly faster. However, technically, it's a cheap hack. The way around it is as follows:
ErrorDocument 404 /welcome/script32.php
The requested URL can now be found in $_SERVER['REQUEST_URI'] and is available for parsing in PHP. However, with this, you've also disabled "legit" 404 errors from being generated through apache - and should make sure to obey proper behaviour in PHP to compensate.
I realize this question has been beaten to death by a lot of people asking it, but most of the answers appear to be for a very specific case that only suits their needs, and so far I have not found a suitable solution (at least, as far as i can see).
My problem is that I am trying to make my website redirect URL parameters from an ID to an actual string.
For example:
www.example.com/?category=1
would display as:
www.example.com/software
while
www.example.com/?category=2
would be displayed as:
www.example.com/software/desktop
From what I've read up, I'm supposed to be looking into an apache rewritemap, and this is where my confusion comes in. I'd really rather not have to load from a flat txt file, as I'd like to make this as dynamic as possible, and I have read that I can make it read from a php file and read it from a MySQL database, which is what I'd like.
The problem with that is that I'm really not too sure what the proper way is of achieving this. The RewriteMap document only somewhat covers flat .txt files, and not achieving it with MySQL.
So basically what I'm asking is if someone can explain how to achieve what I'm looking for, or at least point me in the right direction. Most of the threads I've found so far have sadly not been too helpful as of yet, but it's possible I might have passed by useful ones.
If it helps, right now, my MySQL data is formatted in an inherited structure like so:
ID | Title | Link | Parent
1 | Software | /Software/ | NULL
2 | Desktop Software | /Software/Desktop/ | 1
2 | Mobile Software | /Software/Mobile/ | 2
PS:
I should add that most solutions I've found give this as the example:
RewriteMap examplemap prg:/path/to/file.php
RewriteRule (.*) ${examplemap:$1}
Yet it never gives information as to what is in that file.php, and how it queries and returns the value.
EDIT
I should mention that I am on a shared hosting server, not my own private one, and so I may not have access to all possible options
EDIT 2
Just for the sake of clarity:
What I'm trying to do is make it so that a user who accesses 'example.com/software' would be treated as though they are on 'example.com/?category=1'; basically prettying the link and making it more readable. The only thing is, I'm trying to read it from a database
If you don't have access to the server or vhost config, you can't use RewriteMap anyways. The map itself needs to be defined in either the server or vhost config, not in an htaccess file. But apache 2.4 has an option of using mod_dbd to use an SQL query to define a rewrite map.
If you need to access MySQL, you're probably better off doing all of this in PHP instead of using mod_rewrite. You'd use mod_rewrite to route to your php file, which would then redirect. Maybe something like this?
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /file.php?link=$1 [L]
So when someone requests http://example.com/Software/Mobile/, the request gets rewritten to: /file.php?link=Software/Mobile/, and your file.php script would do the lookup.
Or if you actually mean the other way around:
RewriteCond %{QUERY_STRING} category=([0-9]+)
RewriteRule ^$ /file.php?ID=%1 [L]
So when someone requests http://example.com/?category=2, the request gets rewritten to: /file.php?ID=2 and the php script does the lookup.
My suggestion would be to look at utilizing a front controller pattern. I think that once you start getting into user friendly URL's or the concept of "routes", that the front controller can really simply things since you no longer have to worry about mapping specific URL's to specific controllers at the web server level.
If you have Apache mod_dir enabled (chances are you do), you could do something like this in your Apache config or .htaccess:
FallbackResource /index.php
This simple directive will direct any requests that would otherwise cause a 404 error to be directed to a front controller at /index.php.
This can also be done via mod_rewrite like this:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php [L,QSA]
In the front controller, you could evaluate the URI and route the request to whatever logic need to handle the request. You could do this via lookup of routes from a database or a hard-coded array of routes or whatever. (I would suggest however that, if using a database, you have a cached version of the routes available for quick access).
There are a number of different PHP route controllers available such that you don't need to reinvent the wheel (most every modern framework has some sort of routing concept).
I am trying to rewrite my URL and having serious issues. I am on a Godaddy linux hosting server and it didn't come with any type of config file or .htaccess file. I created my own .htaccess file with the below rewrite info but I have no idea how to do anything else:
RewriteEngine On
RewriteRule ^NSN/([^/]*)\.html$ /nsn.php?NSN=$1 [L]
The people at Godaddy told me I could use URL Redirect to help with this but I am not even sure what that means.
If someone could please help with the next steps of how to make this work, it would be greatly appreciated.
Thank You.
Rewriting URLs is mapping the URL you see in the browser from the default to something more meaningful or memorable. The simplest example is something like this:
# Replace all html references with php
RewriteRule html php
A testing tool will save time, and understanding how to use aliases or redirects to avoid regular expressions may be helpful.
Hey guys I have a question. I wanna create a profile page for each new user, and I noticed that on facebook you could simply type in www.facebook.com/username and you get to the user's page, my question is, how can I do this without something like domain.com/users.php?useraname="username" or something like that? How can I simply make it like the facebook one?
What you are looking for is mod_rewrite. This will allow you to write PHP code that appears to the end user to be a directory on the server (such as www.facebook.com/user.php?username into www.facebook.com/username.)
An introduction to them with PHP can be found here: http://wettone.com/code/clean-urls
Please note you will need to enable it on your server. That should be possible in the .htaccess file if you're running an Apache server.
This is not a complete answer since I'm NOT a php guy
What you're looking for a RESTful urls, mostly you can get urls like that on your web app if you use a framework that supports restful urls
See this SO question:
REST-style URLS and PHP
See this article:
http://blog.garethj.com/2009/02/building-a-restful-web-application-with-php/
Search google and Search SO with google
This can’t be done with PHP alone. It’s the web server that needs to know how to handle these kind of request first.
Because, to put it simply, a web server just takes the requested and tries to map it onto a file in the file system below the document root directory. And if it can’t find an appropriate file, it returns an 404 error code.
Now there is some kind of URL rewriting mechanism for almost every web server software. In case of Apache as the most popular web server software out there, there is mod_rewrite that allows URL rewriting based on rules. In this case the following could enable /users.php?username=username being also accessible through /username:
RewriteEngin on
RewriteRule ^[a-z]+$ index.php?username=$0
Options +FollowSymLinks
RewriteEngine On
RewriteBase /php/profile
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^users/(.)$ ./profile.php
http://exapmle.com/users/waqar.alamgir
in $_SERVER['REQUEST_URI'] you will see users/waqar.alamgir