I have been running some automated security scans and the following URL triggers a 404:
/%FF%FE%3Cscript%3Ehaikumsg%28326%29%3C%2Fscript%3E
This is run from the route on the domain on an Apache server (so this should be easy to replicate).
My htaccess is setup with ErrorDocument 404 /site/404 but this isn't being caught. I know this because if I completely empty the htaccess file I am still presented with the same standard apache 404 page.
Clearly this is a tag hack so I have to be careful how its handled, however I'd like to know how to manage it so it at least does my /site/404 instead of nothing.
It turns out the solution is to move your 404 redirect to the Vhosts not htaccess!! Very simple solution and that will fix it. Apache obviously works with the URL before even getting to the htaccess file so moving the 404 redirect is needed at a higher level.
However if you need to decode and use the URLs then the following begins to help:
https://serverfault.com/questions/261683/how-does-apache-process-a-path-with-a-percent-encoded-url-in-it
Basically the solution is to add AllowEncodedSlashes On to the Vhosts file.
As per https://httpd.apache.org/docs/2.0/mod/core.html#allowencodedslashes.
Related
I want to use local URL (relative path) to show my custom 404 error message and it doesn't seem to be working as expected. As apache documentation stated here :
The syntax of the ErrorDocument directive is:
ErrorDocument <3-digit-code> <action>
where the action will be treated as:
A local URL to redirect to (if the action begins with a "/").
An external URL to redirect to (if the action is a valid URL).
Text to be displayed (if none of the above). The text must be wrapped in quotes (") if it consists of more than one word.
Methods 2 and 3 are working correctly. For testing purpose imagine a folder named test with 3 files.
index.php: main page
404.php: a custom 404 page
.htaccess:
RewriteEngine On
ErrorDocument 404 /404.php
Now accessing this URL http://localhost/test/blah-blah does not show my 404.php page instead a default Not Found page is displayed with this message:
The requested URL /tests/test-htaccess/asdasd was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.
Any idea how to fix this?
You probably found the solution to your problem since the time you asked, but for anyone having the same kind of issue, I would say the problem is that you are running your site with localhost.
The message says that Apache encountered a 404 error when trying to get the file specified for Errordocument 404, so it doesn't see
/404.php
I suggest you create a fake domain in your hosts file and set up a vhost with it.
Hosts on OSX :
sudo nano /etc/hosts
Hosts on Windows, Right-click this file to edit in administrator mode :
C:\WINDOWS\System32\Drivers\Etc\Hosts
and enter something like this:
127.0.0.1 myfakedomain.com
To set up virtual hosts, you must uncomment the call to httpd-vhosts.conf in httpd.conf (near the end, using MAMP in this case)
# Virtual hosts
Include /Applications/MAMP/conf/apache/extra/httpd-vhosts.conf
but the location of this file depends of the stack you are using (Wamp, Mamp, Xampp, etc) so search with the keyword "Virtual host" in its documentation.
Then you will be able to run your site using
myfakedomain.com/
in your browser and 404 errors should be handled the right way.
mydomain.com/badurl.html redirects correctly to mydomain.com/en/404.html, but mydomain.com/en/badurl.html does not and goes to a blank page, literally. Looks like adding a locale 'en' throws it off, rest of the locales seem to work OK.
This is my Virtual Host
ErrorDocument 404 /en/404-error.html
P.S it is outside all directives but .
You're probably sending those requests to something like PHP that sees them and returns something other than 404 to Apache. There are cases where plugins can even send a 404, but tell Apache the response was successful. Those do not trigger ErrorDocument.
I want to make apache to always open up a signle page for 404 errors from all subdomains.
The problem is that my subdomains are located in subfolders in public_html, and thus have a different root path.
For example the main domain this works quite well:
ErrorDocument 404 /Error/404.html
The Error folder and the main domain are located in public_html respectively.
However for the forum subdomain, located in public_html/forum/ the above root path does not, and it actually looks for public_html/forum/Error/404.html which doesn't exist.
I tried to rewrite rule for the forum folder, but it didn't work out either:
ErrorDocument 404 /../Error/404.html
Seems, it cannot go below the root folder for some reason.
Any ideas how can I refer to the same page from the main and the subdomain alike, without triggering redirects? (eg: http://mysite/Error/404.html would accomplish this, but would also change the url address of the page which I don't want)
Seems, it cannot go below the root folder for some reason.
Because being able to traverse above the document root is a very, very serious security risk. If your webserver gets compromised, people would be able to serve all kinds of files anywhere on your entire server.
If you have access to server config you can setup aliases for the /Error folder. For example, in your forum subdomain's vhost config, you can add:
Alias /Error /path/to/public_html/Error/
This way, when you go to http://forum.yourdomain.com/Error/404.html you'd actually be looking at http://main.yourdomain.com/Error/404.html. Then you can just use:
ErrorDocument 404 /Error/404.html
like normal in your forum subdomain.
But if you don't have access to your server/vhost config, you'll need to use mod_proxy and mod_rewrite. So in the htaccess file in public_html/forum/, add these to the top:
RewriteEngine On
RewriteRule ^Error/(.*)$ http://main.yourdomain.com/Error/$1 [L,P]
Pretty sure based on various examples (like the one here) I set things up correctly:
1) I created a file 'notfound.html' in the root directory of my site
2) I'm running xampp, ie. Apache web server, so based on the stuff I've read, Apache looks for a notfound.html in the root directory of a site when a non-existent page is typed in the browser, such as www.mysite.com/NotAValidPage.html and uses that notfound.html for the 404 error message
Here's what I've tried and the result of each attempt:
1test) I put my own notfound.html in my site's root directory and enter a non-existent page
1result) my notfound.html is not used, but instead the default 404 error from (I guess) my web server, appears and says:
Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try
again.
If you think this is a server error, please contact the webmaster.
Error 404
localhost
2/14/2012 9:11:29 AM
Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
2test) I next added an .htaccess file to the root folder of my site and added this line in this .htaccess file:
ErrorDocument 404 /notfound.html
then I typed a non-existent page into my browser.
2result) I still see a default 404 error page, not my notfound.html, only this time the default error page says:
Not Found
The requested URL /mysite.com/indsadfaex.php was not found on this server.
Additionally, a 404 Not Found error was encountered while trying
to use an ErrorDocument to handle the request.
3test) I then modified my .htaccess file by removing the '/' before the name of my custom 404 error page filename as follows:
ErrorDocument 404 notfound.html
3result) Now when I type my site name followed by a non-existent page, I no longer see the default 404 error page -- the browser window is completely blank except for the following at the top left corner:
notfound.html
Not sure what to do here, seems like I am missing some subtlety -- any ideas are really appreciated.
EDIT: I doubt it matters but there are 2 other statements in my .htaccess file for redirection situations:
RewriteEngine on
RewriteRule ^([^/\.]+)$ theHandlerPage.php?theArgumentPassedIn=$1 [L]
The regex here simply says 'go to the very end of the URL typed in and match a contiguous string of characters iff no '/' or '.' is in that contiguous stream of characters, then pass those in by way of $_GET[theArgumentPassedIn'] to the file theHandlerPage.php.
I don't think this rewrite rule is coming into play here because it will not match on a bad page name such as mysite/badpage.html because of the '.' in badpage.html.
Okay -- I discovered a bit of unexpectedness.
1) I move my notfound.html error file to the parent directory of my site -- whereas before the file was located at c:/xampp/htdocs/mysite/notfound.html, I have now moved this file to c:/xampp/htdocs/notfound.html.
2) then I use ErrorDocument 404 /notfound.html inside of my .htaccess file, which is located at c:/xampp/htdocs/mysite/.htaccess
And now when I type in the browser bar mysite/aBadfilename.html, my 404 notfound.html is showing up fine.
BUT THIS IS UNWORKABLE. I cannot have my notfound.html reside in the parent directory of my site, because I need a different notfound.html for each site I develop. I must be able to put my site's notfound.html in its folder space, ie. inside c:/xampp/htdocs/mysite.
Because c:/xampp/htdocs is the root folder of all web sites on the server.
Why is my web server looking for my-site's notfound.html in the c:/xampp/htdocs root directory instead of c:/xampp/htdocs/mysite? After all, I type mysite/badfile.html so the web server (in my opinion) should understand that notfound.html is in the c:/xampp/htdocs/mysite folder space.
Are you using Virtual Hosts ?
if so, i think there is a problem, open your httpd-vhosts.conf and look for a line where is DocumentRoot C:/xampp/htdocs/bla/blah/mysite/ and write down full path to a host, if it doesn't work play with Directory path. Hope it helps.
Is there a way to have the request parameters "forward on" to the custom error file in apache much like [QSA] does on rewrite rules?
if i send in www.foo.com/doesnotexist?bar=true
and i have this in vhost:
ErrorDocument 404 /customerrorpage
then it would call customerrorpage with:
customerrorpage?bar=true
I know this is really old question, but it hasn't been answered and so in case someone else is searching the site for the answer I'll share what I know.
The Apache 2.2 ErrorDocument page says that when you have a Custom Error page which is a local page then a number of environment vars will be set which can be read from your customer error handler. One of the vars is REDIRECT_QUERY_STRING which will contain the query string that the original page had. So in your example the REDIRECT_QUERY_STRING would contain 'bar=true'.