Security Issue - Is This Bad Or Supposed To Happen?
Posted: Sat Mar 03, 2007 10:45 am
I've noticed something a bit strange on my site - not quite sure how to fix it.
I have a custom 404 error message page that shows up when someone tries to get to a page that doesn't exist on the site. If someone tries to access the page, my server (GoDaddy) redirects them to the page that I specified.
Now here is the issue - if someone types an address in and only enters .ph instead of .php on accident or something, the PHP code shows up for my 404 error message page. This happens a lot of the time - if you try to access a page with a .ph or .p extension - I'm guessing it happens for extensions that are not known. If you try to access a .php page or .htm or .html page that doesn't exist, you are redirected properly.
It always displays the PHP for the custom 404 error message page. Luckily, I have database access files stored in a config file elsewhere rather than typed directly onto that page. The PHP on that page doesn't give away any information directly, but it does show my includes, structure, etc. of the site.
Is this supposed to happen? I wouldn't think so - I would think it should always show the 404 error page rather than the php code.
Anyone have any idea what is going on? I only noticed this because I tried to type the URL in a few times and accidentally hit enter too early - a common mistake.
I have a custom 404 error message page that shows up when someone tries to get to a page that doesn't exist on the site. If someone tries to access the page, my server (GoDaddy) redirects them to the page that I specified.
Now here is the issue - if someone types an address in and only enters .ph instead of .php on accident or something, the PHP code shows up for my 404 error message page. This happens a lot of the time - if you try to access a page with a .ph or .p extension - I'm guessing it happens for extensions that are not known. If you try to access a .php page or .htm or .html page that doesn't exist, you are redirected properly.
It always displays the PHP for the custom 404 error message page. Luckily, I have database access files stored in a config file elsewhere rather than typed directly onto that page. The PHP on that page doesn't give away any information directly, but it does show my includes, structure, etc. of the site.
Is this supposed to happen? I wouldn't think so - I would think it should always show the 404 error page rather than the php code.
Anyone have any idea what is going on? I only noticed this because I tried to type the URL in a few times and accidentally hit enter too early - a common mistake.