Security Issue - Is This Bad Or Supposed To Happen?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Superman859
Forum Commoner
Posts: 47
Joined: Sun Oct 29, 2006 10:22 am

Security Issue - Is This Bad Or Supposed To Happen?

Post by Superman859 »

I've noticed something a bit strange on my site - not quite sure how to fix it.

I have a custom 404 error message page that shows up when someone tries to get to a page that doesn't exist on the site. If someone tries to access the page, my server (GoDaddy) redirects them to the page that I specified.

Now here is the issue - if someone types an address in and only enters .ph instead of .php on accident or something, the PHP code shows up for my 404 error message page. This happens a lot of the time - if you try to access a page with a .ph or .p extension - I'm guessing it happens for extensions that are not known. If you try to access a .php page or .htm or .html page that doesn't exist, you are redirected properly.

It always displays the PHP for the custom 404 error message page. Luckily, I have database access files stored in a config file elsewhere rather than typed directly onto that page. The PHP on that page doesn't give away any information directly, but it does show my includes, structure, etc. of the site.

Is this supposed to happen? I wouldn't think so - I would think it should always show the 404 error page rather than the php code.

Anyone have any idea what is going on? I only noticed this because I tried to type the URL in a few times and accidentally hit enter too early - a common mistake.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

How is GoDaddy redirecting to this script?
Superman859
Forum Commoner
Posts: 47
Joined: Sun Oct 29, 2006 10:22 am

Post by Superman859 »

To be honest I'm not entirely sure.

When you log into your hosting account with GoDaddy, there is a control panel. In that control panel is a link to 404 Error Behavior. You can use GoDaddy's default (lame), your home page, or specify a URL to use. I typed up a 404_error.php page for my site (all pages are stored in a database), so that's what I redirect to.

As to how they do the redirect, I'm not entirely sure, although I imagine I can email and ask them (although sometimes it takes a while for a response).
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

What happens if you go directly to the error page?

(post the code)
Superman859
Forum Commoner
Posts: 47
Joined: Sun Oct 29, 2006 10:22 am

Post by Superman859 »

If you go directly to the error page, the error page shows up as it should.

Here is a link to the error page:

http://www.learn-korean-now.com/404_error.php

Now just pick any file and go to it. If it has a .php ending, .html, .htm (any of the usual) and it doesn't exist, you should be directed to the error page.

Now try the same thing, but delete the last letter..try a .ht file or a .ph file...This time, you will be taken to the PHP code for the 404 error page - it won't process the PHP code like it should.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Wow...

I didn't believe it until i saw it myself.

http://www.learn-korean-now.com/doesnt_exist.php

http://www.learn-korean-now.com/doesnt_exist <-- shows the source...

It's obvious that for some reason apache is not sending the file through the php parser.


... IDEA! Add a .htaccess file that contains

Code: Select all

Options -multiviews
and report back.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Ooh that's clever. And dangerous.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I would've never caught that myself, kudos on spotting that.
That could be very dangerous to have your coding exposed.

Maybe a rewrite rule in a .htaccess file that sends page requests for anything not in say.. .php, .htm, .jsp etc to the 404 error page.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Superman859
Forum Commoner
Posts: 47
Joined: Sun Oct 29, 2006 10:22 am

Post by Superman859 »

Alright - I think I tried it right?

To be honest, I've never dealt with .htaccess files before now, although I've heard the name.

I found a tutorial online - here is what I did.

I opened notepad, saved a file named .htaccess

Next I put the following in it:

ErrorDocument 404 http://www.learn-korean-now.com/404_error.php
Options -multiviews

Saved it again - uploaded it via FTP to the root level of my site. It had a .txt extension on it so I removed that. Made sure it was CHMOD 644.

Does that sound right? Is there anything I am missing? I don't even know how to know if the .htaccess file is working properly. I tried to change it to send to another page for 404 error messages, but it still went to 404_error.php. I'm not sure if that means my file wasn't recognized properly, or if GoDaddy's setting overrides it somehow.

Regardless, it didn't seem to make any difference either way I did it.
Superman859
Forum Commoner
Posts: 47
Joined: Sun Oct 29, 2006 10:22 am

Post by Superman859 »

Hello - just updating everyone.

I emailed GoDaddy about the issue. Sometime yesterday I was unable to log into my account and got a message saying my hosting account was changing servers or something.

Afterwards, it doesn't display PHP anymore. They emailed me back and said they were unable to reproduce the error :roll: Whoever changed the servers must have done the trick though.

Just letting everyone know in case anyone tries it and doesn't get the same issue as before.
Post Reply