Hey all,

Some may remember my question awhile back about ensuring all CC forms are behind https. I've always put them so, but I've taken over maintenance on a site that did not and have since corrected the problem.

Now the client is going for PCI compliance as a requirement by their credit card processor and we have been dealing with issues determined risks by Security Metrics, most which were legit (except one thinking IIS was running on a Linux server!), but this one has me scratching my head.

The original programmer created the following in the system's .htaccess file:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php

...which sends any incorrect URL to the home page, correct? But Security Metrics, as part of their test ran two URLs through the system that while both displaying the home page had different things in the header, which they flagged as an issue. Here is there explanation below, but my question is, why is this considered a security risk, and what suggestions might some of you have to correct it?

Thanks much!

The reason why this issue is being flagged is simply that both links should bring you to the same page but if look at the HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it returns a 403 forbidden even though it still takes you to the main site page, with the other URL (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200 OK when it is the same page as the URL that is returning a 403. You will need to make sure that the pages are responding in the same way to correct this issue.

Skip Evans
Big Sky Penguin, LLC
503 S Baldwin St, #1
Madison WI 53703
Those of you who believe in
telekinesis, raise my hand.
 -- Kurt Vonnegut

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to