Hi Frank Yes, and I can do this, but I'm really surprised that this extra content is even being reflected back to the web user. My assumption was if I ignore anything beyond my "appwaz.php" it will be ignored by the web server.... so why is this text being reflected back as part of the response??? Is it something I'm doing in my php script? (I don't think so).
Cheers Murray On Wed, 15 Nov 2023 at 09:47, Frank Gingras <thu...@apache.org> wrote: > Since you're using appwaz.php to serve your content and parsing the > pathinfo, it falls back on your php application to discard values that are > malicious or incorrect. > > On Tue, Nov 14, 2023 at 3:37 PM Murray Collingwood < > mur...@focus-computing.com.au> wrote: > >> Good question @Frank, and yes it is. >> >> Cheers >> Murray >> >> >> >> On Wed, 15 Nov 2023 at 07:36, Frank Gingras <thu...@apache.org> wrote: >> >>> To be clear, is sobs.com.au your domain name? >>> >>> On Tue, Nov 14, 2023 at 1:26 PM Murray Collingwood < >>> mur...@focus-computing.com.au> wrote: >>> >>>> Hi folks >>>> >>>> First time poster. I recently became aware that hackers were able to >>>> include scripts in my URLs that would run (when reflected back to the >>>> client web browser). >>>> >>>> Is there a simple configuration in Apache that allows me to apply >>>> strict rules to the URLs that would stop this happening? >>>> >>>> Alternatively, is there something I have opened / allowed that enables >>>> this? >>>> >>>> For example: >>>> https://sobs.com.au/ui/appwaz.php/jiwzk%22onload%3d%22alert(1)%22tyysj >>>> >>>> >>>> Hope you can help. >>>> >>>> Cheers >>>> Murray >>>> >>>> >>>> -- >>>> Murray Collingwood >>>> Focus Computing >>>> >>>> Australia ph 07 3175 0575 >>>> New Zealand ph 03 928 1699 >>>> >>>> http://www.focus-computing.com.au >>>> >>>> >> >> -- >> Murray Collingwood >> Focus Computing >> >> Australia ph 07 3175 0575 >> New Zealand ph 03 928 1699 >> >> http://www.focus-computing.com.au >> > -- Murray Collingwood Focus Computing Australia ph 07 3175 0575 New Zealand ph 03 928 1699 http://www.focus-computing.com.au
