I am testing the security of my website. I am using the following URL to load a PHP page in my website, on localhost:
http://localhost/domain/user/index.php/apple.php
When I do this, the page is not loading normally; Instead the images, icons used in the page simply vanish/disappear from the page. Only text appears. And also on any link I click on this page, it brings me to this same page again without navigating to the required page. So if I have hyperlinks to other pages, such as "SEARCH", which points to search.php, instead of navigating to the search.php page, it refreshes the index.php page and just appends the page name of the destination page to the end of the URL.
For example, say I used the link above. It then loads the index.php page minus the images at it's will. When I click on the "Search" link to navigate to the search page, I see the following in the URL:
http://localhost/domain/user/index.php/search.php
I have a redirection configured to a 404 error page in my .htaccess file, but the page does not redirect to the 404 error page. Notice the search.php towards the end of the URL above. Any other link that I click, reloads the index.php page and just appends the destination page name to the end of the URL like I have shown above.
I was expecting to see a 404 Error but that does not happen. The URL should not even be able to load the page because I do NOT have a "index.php" folder in my website.
What can I do to solve this? All help is appreciated.
Update:
The security concern is that users being able to see a non-existing page (which is quite misleading) like http://localhost/domain/user/index.php/apple.php especially when it does not exists. This makes me feel that this is going to open doors for hackers to exploit the website and compromise its integrity. Can this happen in such a case? I want users to see a 404 error page and any I am willing to any change needed in .htaccess file to accommodate this.
Can you suggest me of some code that I can add to my .htaccess file to accomplish this?
Thank you.
EDIT1:
Here are the contents of my .htaccess files. I have 2 of them. One in domain root and the other in 'user' folder/directory.
/*.htaccess in domain root*/
ErrorDocument 404 /domain/404.php
/*.htaccess in user folder*/
ErrorDocument 404 /domain/user/404.php
EDIT2:
#Pekka Thanks for the link. I added the following code in the .htaccess file (within the user directory)
<Files "mypaths.php">
Options +Includes
SetOutputFilter INCLUDES
AcceptPathInfo Off
</Files>
But still this does not show me the 404 page. Sorry, I am very novice with the .htaccess. Hope you will be able to tell me what I am wrong. Thanks.
The behaviour of why this loads a page:
http://localhost/domain/user/index.php/apple.php
is easily explained. The request is passed to index.php, with apple.php being in the $_SERVER["PATH_INFO"] variable.
So you are in the /user directory as far as the server and the PHP script are concerned.
This is also why no 404 turns up: index.php is always found, no matter which file you specify as the last file.
The browser, however, interprets index.php not as a file, but as the parent directory of apple.php.
Therefore, every relative link you put on the page, say to contact.php is fetched like this:
http://localhost/domain/user/index.php/contact.php
which obviously won't work.
What you may want to do is use absolute paths in images and links, but either way, this is of no concern to security whatsoever.
As a side note, this whole phenomenon is sometimes used to create search engine friendly URLs without having to use mod_rewrite module.
You can turn this behaviour off using the AcceptPathInfo directive.
As for the images, you just have to learn to use absolute paths to your images, which is absolutely necessary
Just instead of images/head.jpg write /images/head.jpg and you will have all your images and styles in place.
As for the /user/index.php/apple.php - why do you want such an odd address?
Why not to use just user/apple.php?
And where is security in your question?
Related
I have a website www.thewritedesign.co.uk. My site is based on includes. My navigation at the top of the site all use achor links and the site is all one page. I have an error page, so when you type www.thewritedesign.co.uk/euskdfzxcahsz, the remaining /euskdfzxcahsz stays in the URL and my navigation links do not work when you land on my error page because they have #services #about etc as the link.
I have wrote an if statement for my other page "Terrms and Conditions" if you land on /terms-and-conditions that if you use the navigation links at the top of that page, you can get back on track so the links are now /index#services /index#about etc.
My question is. If you land on www.thewritedesign.co.uk/euskdfzxcahsz, is there an if statement I can use to say whatever page you land on which doesn't exist, go back to /index#services /index#about
Thanks
One of the better ways (in my opinion) is to let the htaccess file handle this issue for you.
The htaccess file has a RewriteEngine that allows you to do a lot of things in terms of URL handling. What's most interesting for you, would be the ErrorDocument 404 handling.
A 404 error is basically a "dead link", meaning that whatever destination the user is trying to arrive at, doesn't exist. You can then choose to redirect the user through an error handling in the htaccess file.
Example:
RewriteEngine on
ErrorDocument 404 http://www.yoursite.com/index.php#services
Change the URL in the example to fit your needs.
I have little to no experience with the following problem so I am turning to the community for help.
My Forum is installed within a folder namedforum within my root directory. When users try to login from a discussion or a thread, they get redirected to a 404 url.
The reason why they are getting redirected to 404-page is because the forum creates a second forum slug within the url, here is an example:
When Viewing a Thread
http://www.example.com/forum/discussion/1/letsTalk
The above is the correct url, HOWEVER, when user tries to login they get redirected to the following url
When Logging IN
http://www.example.com/forum/forum/discussion/1/letsTalk
Notice the forum appearing twice in the above url.
Solution
I am guessing this can be fixed within the htaccess file by creating a re-write rule, which is simple enough. However my problem comes in when users view other threads with a different url than the one given above.
Thus, I need to find a way to remove the second forum appearing within the URL which...I am not sure how to tackle? Can this be fixed within the htaccess or will source code need to be modified?
In your head section in the html you should put
<base href="http://www.example.com/forum"/>
This will make relative urls get prepended with the given base.
Then you should make another .htaccess inside the forum subdirectory
It should contain the following:
RewriteEngine On
RewriteBase /forum/
This will make relative URLs used in your backend get prepended with the base.
I have a website that show information about a shop online. I need following:
When you type example.com/shop/name-shop, this should show the name-shop page.
I'd like only have the file example.com/shop.php which show the information of shop based on the URL. I don't like use example.com/shop?name-shop.
Is this possible or I need to create one file to each shop? I tried to do this with an error page and a header location and works fine but in the url show example.com/shop instead of example.com/shop/name-shop.
Thanks.
EDIT:
I'm using the .htaccess in Apache with ErrorDocument 404 /error404.php In the file error404.php I've a if to check if url is http://example.com/shop/* When the url contains /shop/ redirect with header ("location: website") to the correct shop and works. But in the url in browser only show example.com/shop instead example.com/shop/name-shop. Obviously because i'm redirecting to shop.php
Depending on the web server you are using, you will need to use rewriting rules (mod_rewrite for Apache) or 404 pages to show custom content on each URL using only one PHP file.
I'd recommend you to use Symfony2. You can define routes with placeholders and you have a FrontController, which would correspond to your shop.php file.
I am creating an application in PHP.
One thing I want to do is make it so that if a user types in www.example.com/app/rrr.php where app is the main directory of my application and rrr.php does not exist, that either the program does not go anywhere or use ErrorDocuments in .htaccess to redirect back to the previous page. Thus far the only way I have been able to get this is to add this in my .htaccess:
ErrorDocument 404 C:\Users\Chris\Desktop\wamp\www\Master\errorcode.php
When I try to go to a page that does not exist (by typing in the address area), the program does not attempt to go to it. On a page that does exist (if I type in a php file that I have made) the program advances normally. My problem is that I doubt this will work for users who install it themselves, and I was wondering if anyone had ideas as to how to make this work for everyone.
Couln't understand your question fully, but what I think is,
You should direct user to 404 page where you will check if there is any referer then give a link along with 404 page something like You might want to go back, and if there is no referer just show 404 page.
I got notifications from Google webmaster tool that I have duplicated page titles.
It was properly to browse mysite.com/file.php but I do not know why mysite.com/file.php/ is showing some of content by file.php.
Please advise how to remove/disable content showing when browse mysite.com/file.php/
1st: You might have a filename file.php and directory file.php. Check those out.
2nd: You might have .htaccess rewrite rule, that messes stuff up, if you do check out the syntax on that.
When you hit /file.php, or /file.php/ what changes is pathname that the browser "sees".
In first case, it is /, in second case it's /file.php.
Hence, when you use relative path (to images, stylesheets, etc), in second case the browser will send requests to wrong URIs.
To avoid that, use <base url="http://example.com/path/to/site/root/"> in your HTML