Security Issue - Is This Bad Or Supposed To Happen?
Moderator: General Moderators
-
Superman859
- Forum Commoner
- Posts: 47
- Joined: Sun Oct 29, 2006 10:22 am
Security Issue - Is This Bad Or Supposed To Happen?
I've noticed something a bit strange on my site - not quite sure how to fix it.
I have a custom 404 error message page that shows up when someone tries to get to a page that doesn't exist on the site. If someone tries to access the page, my server (GoDaddy) redirects them to the page that I specified.
Now here is the issue - if someone types an address in and only enters .ph instead of .php on accident or something, the PHP code shows up for my 404 error message page. This happens a lot of the time - if you try to access a page with a .ph or .p extension - I'm guessing it happens for extensions that are not known. If you try to access a .php page or .htm or .html page that doesn't exist, you are redirected properly.
It always displays the PHP for the custom 404 error message page. Luckily, I have database access files stored in a config file elsewhere rather than typed directly onto that page. The PHP on that page doesn't give away any information directly, but it does show my includes, structure, etc. of the site.
Is this supposed to happen? I wouldn't think so - I would think it should always show the 404 error page rather than the php code.
Anyone have any idea what is going on? I only noticed this because I tried to type the URL in a few times and accidentally hit enter too early - a common mistake.
I have a custom 404 error message page that shows up when someone tries to get to a page that doesn't exist on the site. If someone tries to access the page, my server (GoDaddy) redirects them to the page that I specified.
Now here is the issue - if someone types an address in and only enters .ph instead of .php on accident or something, the PHP code shows up for my 404 error message page. This happens a lot of the time - if you try to access a page with a .ph or .p extension - I'm guessing it happens for extensions that are not known. If you try to access a .php page or .htm or .html page that doesn't exist, you are redirected properly.
It always displays the PHP for the custom 404 error message page. Luckily, I have database access files stored in a config file elsewhere rather than typed directly onto that page. The PHP on that page doesn't give away any information directly, but it does show my includes, structure, etc. of the site.
Is this supposed to happen? I wouldn't think so - I would think it should always show the 404 error page rather than the php code.
Anyone have any idea what is going on? I only noticed this because I tried to type the URL in a few times and accidentally hit enter too early - a common mistake.
-
Superman859
- Forum Commoner
- Posts: 47
- Joined: Sun Oct 29, 2006 10:22 am
To be honest I'm not entirely sure.
When you log into your hosting account with GoDaddy, there is a control panel. In that control panel is a link to 404 Error Behavior. You can use GoDaddy's default (lame), your home page, or specify a URL to use. I typed up a 404_error.php page for my site (all pages are stored in a database), so that's what I redirect to.
As to how they do the redirect, I'm not entirely sure, although I imagine I can email and ask them (although sometimes it takes a while for a response).
When you log into your hosting account with GoDaddy, there is a control panel. In that control panel is a link to 404 Error Behavior. You can use GoDaddy's default (lame), your home page, or specify a URL to use. I typed up a 404_error.php page for my site (all pages are stored in a database), so that's what I redirect to.
As to how they do the redirect, I'm not entirely sure, although I imagine I can email and ask them (although sometimes it takes a while for a response).
-
Superman859
- Forum Commoner
- Posts: 47
- Joined: Sun Oct 29, 2006 10:22 am
If you go directly to the error page, the error page shows up as it should.
Here is a link to the error page:
http://www.learn-korean-now.com/404_error.php
Now just pick any file and go to it. If it has a .php ending, .html, .htm (any of the usual) and it doesn't exist, you should be directed to the error page.
Now try the same thing, but delete the last letter..try a .ht file or a .ph file...This time, you will be taken to the PHP code for the 404 error page - it won't process the PHP code like it should.
Here is a link to the error page:
http://www.learn-korean-now.com/404_error.php
Now just pick any file and go to it. If it has a .php ending, .html, .htm (any of the usual) and it doesn't exist, you should be directed to the error page.
Now try the same thing, but delete the last letter..try a .ht file or a .ph file...This time, you will be taken to the PHP code for the 404 error page - it won't process the PHP code like it should.
-
nickvd
- DevNet Resident
- Posts: 1027
- Joined: Thu Mar 10, 2005 5:27 pm
- Location: Southern Ontario
- Contact:
Wow...
I didn't believe it until i saw it myself.
http://www.learn-korean-now.com/doesnt_exist.php
http://www.learn-korean-now.com/doesnt_exist <-- shows the source...
It's obvious that for some reason apache is not sending the file through the php parser.
... IDEA! Add a .htaccess file that contains and report back.
I didn't believe it until i saw it myself.
http://www.learn-korean-now.com/doesnt_exist.php
http://www.learn-korean-now.com/doesnt_exist <-- shows the source...
It's obvious that for some reason apache is not sending the file through the php parser.
... IDEA! Add a .htaccess file that contains
Code: Select all
Options -multiviews- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
I would've never caught that myself, kudos on spotting that.
That could be very dangerous to have your coding exposed.
Maybe a rewrite rule in a .htaccess file that sends page requests for anything not in say.. .php, .htm, .jsp etc to the 404 error page.
That could be very dangerous to have your coding exposed.
Maybe a rewrite rule in a .htaccess file that sends page requests for anything not in say.. .php, .htm, .jsp etc to the 404 error page.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
-
Superman859
- Forum Commoner
- Posts: 47
- Joined: Sun Oct 29, 2006 10:22 am
Alright - I think I tried it right?
To be honest, I've never dealt with .htaccess files before now, although I've heard the name.
I found a tutorial online - here is what I did.
I opened notepad, saved a file named .htaccess
Next I put the following in it:
ErrorDocument 404 http://www.learn-korean-now.com/404_error.php
Options -multiviews
Saved it again - uploaded it via FTP to the root level of my site. It had a .txt extension on it so I removed that. Made sure it was CHMOD 644.
Does that sound right? Is there anything I am missing? I don't even know how to know if the .htaccess file is working properly. I tried to change it to send to another page for 404 error messages, but it still went to 404_error.php. I'm not sure if that means my file wasn't recognized properly, or if GoDaddy's setting overrides it somehow.
Regardless, it didn't seem to make any difference either way I did it.
To be honest, I've never dealt with .htaccess files before now, although I've heard the name.
I found a tutorial online - here is what I did.
I opened notepad, saved a file named .htaccess
Next I put the following in it:
ErrorDocument 404 http://www.learn-korean-now.com/404_error.php
Options -multiviews
Saved it again - uploaded it via FTP to the root level of my site. It had a .txt extension on it so I removed that. Made sure it was CHMOD 644.
Does that sound right? Is there anything I am missing? I don't even know how to know if the .htaccess file is working properly. I tried to change it to send to another page for 404 error messages, but it still went to 404_error.php. I'm not sure if that means my file wasn't recognized properly, or if GoDaddy's setting overrides it somehow.
Regardless, it didn't seem to make any difference either way I did it.
-
Superman859
- Forum Commoner
- Posts: 47
- Joined: Sun Oct 29, 2006 10:22 am
Hello - just updating everyone.
I emailed GoDaddy about the issue. Sometime yesterday I was unable to log into my account and got a message saying my hosting account was changing servers or something.
Afterwards, it doesn't display PHP anymore. They emailed me back and said they were unable to reproduce the error
Whoever changed the servers must have done the trick though.
Just letting everyone know in case anyone tries it and doesn't get the same issue as before.
I emailed GoDaddy about the issue. Sometime yesterday I was unable to log into my account and got a message saying my hosting account was changing servers or something.
Afterwards, it doesn't display PHP anymore. They emailed me back and said they were unable to reproduce the error
Just letting everyone know in case anyone tries it and doesn't get the same issue as before.