Ray Leventhal
2011-Jul-19 20:28 UTC
[CentOS] [OT] Apache oddity - appending garbage request does not result in a 404
HI, I know this is OT and I apologize in advance, but with the wealth of knowledge on this list I hope that some kind soul will help (off list is fine). I run CentOS 5.6 with the usual LAMP stack. One of the virtual sites on this server failed a PCI Compliance (credit card security stuff) because, of all things, a URL with a non-existent request after the .php doesn't return a 404 and I can't figure out why. Example: http://www.domain.com/pagedoesnotexist returns the expected 404 But browse to a page that does exist, like goodpage.php, then append either a slash and some random string, or a ?=somerandomstring and the goodpage.php is still displayed. I'll gladly provide more info, if needed. Any pointers on where to look would be truly appreciated. Thanks in advance, and my apologies for the noise. -Ray
John R Pierce
2011-Jul-19 20:47 UTC
[CentOS] [OT] Apache oddity - appending garbage request does not result in a 404
On 07/19/11 1:28 PM, Ray Leventhal wrote:> Example:http://www.domain.com/pagedoesnotexist returns the expected 404 > > But browse to a page that does exist, like goodpage.php, then append > either a slash and some random string, or a ?=somerandomstring and the > goodpage.php is still displayed. > > I'll gladly provide more info, if needed. Any pointers on where to look > would be truly appreciated.your php page should examine the arguments and if there's anythign there unexpected, it should force the 404 via { header ('Location: '.$newReq); header ('HTTP/1.0 404 Page Not Found'); die; // Don't send any more output. } or whatever... -- john r pierce N 37, W 122 santa cruz ca mid-left coast