I found a vulnerability for content-spoofing on my webpage.
This URL:
https://www.mygreatsite.com/www.mygreatsite.com%20has%20moved%20to%20www.evilsite.com.%20CHECK%200UT%20H0W%20COOL%20THE%20NEW%20SITE%20IS!%20Sadly,%20the%20file%00
Apache Output:
Not Found
The requested URL /www.mygreatsite.com has moved to www.evilsite.com. CHECK 0UT H0W COOL THE NEW SITE IS! Sadly, the file was not found on this server.
--
The URL Overrides the Apache-Error and outputs the text added to the URL in the Browser, along with a 404-Error.
Actually, all requests to the server should be redirected to the CMS (Typo3) which in turn handles the 404-error and shows a custom page.
When I enter an URL that doesn't exist, this works perfectly. Just the above mentioned URL screws everything up.
Interestingly, when I delete the «%00» from the end of the URL, the request is forwarded to the CMS and the correct error document is displayed.
I tried to add a separate ErrorDocument-Directive to the htaccess-file - with no success.
Any ideas what goes wrong and how I could solve this?
As Anubhava points out, when a NULL-Byte is detected, Apache doesn't load any modules and just throws the 404. That's why ErrorDocument and mod_rewrite in the htaccess don't work.
[Edit for clarification]
%00 or in Hex \x00 is a NULL byte. When web server finds a NULL byte at the end then web server thinks it is a spoofing request and considers it to be dangerous to be processed by any directives.
Due to security reasons web server doesn't load any modules for this request and returns a 404 / Not found status. Browser shows default 404 page with your decoded URL just below Not Found text.
Related
I'm having the SSL warning messages all over my website after switching to SSL for several assets:
Mixed Content: The page at 'https://example.com' was loaded over HTTPS,
but requested an insecure script 'http://example.com/script.js'. This
request has been blocked; the content must be served over HTTPS.
I checked the page source, every single script/css is requested over https.
I even checked the dynamically created html by using the code inspector.
I disabled Javascript in case a script was loading these assets dynamically.
None of these things showed a single http:// request. I'm out of ideas to try and find what is causing this. Any ideas or suggestions?
When seeing a mixed-content message about a http://example.com/script.js (non-https) URL that doesn’t actually appear anywhere in your sources, the basic strategy to follow is:
Replace the http in the URL with https and put that into the address bar in your browser: https://example.com/script.js
If your browser redirects from that https://example.com/script.js URL back to (non-https) http://example.com/script.js, then you’ve found the cause: example.com/script.js isn’t actually available from an https URL, and ends up getting served from a http URL even though your source is requesting the https URL.
My 2 cents regarding this issue.
I have a project hosted on one domain that works flawlessly.
I need to make it international so I am cloning the master branch to a new branch, making some necessary text changes and deploying new site (new domain) with code from the new branch.
Everything works fine, except 1 ajax call (api route) that gets blocked due to Mixed content.
First things first, I checked these 3 things:
I check in the Network tab in dev tools and it is actually loaded through https.
I open the file directly in browser and it is https.
I try to open it as http:// and it automatically redirects to https://
This is very strange because the 2 domains are both using Cloudflare and their backend setup is identical, the code is the same (only text changes for the new one) yet for the new setup there is console error for 1 specific api route, an all others (some 20+ ajax requests across the page) work just fine. They are even using the same function to make the Ajax request, so it is definitely not a configuration error.
After doing some investigation I found out the issue:
The call that was 'buggy' was ending in /. For example, all other calls were made to:
https://example.com/api/posts
https://example.com/api/users
And this particular one was making requests to
https://example.com/api/todos/
The slash at the end was making it fail with mixed content issue. I am not sure why this is causing issue and how it isn't an issue on the original site (since there the same ajax call works just fine), but it definitely fixed my issue.
If I figure out what caused the / to fail so miserably, I will post an update.
I have a Joomla site running on Apache and Ubuntu 12.04. I wanted to show a custom 404 pages to be shown when a 404 error occure. I have made necessary changes to error.php file in my template directory to redirect it to '/404' directory where I have an index.html file with many images,css and java script.
Now when accessing a non-existent page, Joomla is redirecting me to root/404 but there I get a 403 Forbidden error from appache. The 404 directory is located inside 'htdocs' directory of Joomla installation.
Additional info:
1. I don't want to convert my 404 page into a Joomla template or article.
2. I am using a Joomla AMI from Bitnami on Amazon web service
If you redirect to a 404 page, you corrupt the error mechanism. The client will never get that 404 status, but a 200 on successful redirect to your error page.
Instead, you should modify your template's error.php to
send the 404 Not Found header
directly send the error page using readfile()
You might have to adjust the asset paths within your error page.
That's totally wrong, working with static pages does not mean that you have to overcome Joomla's routing.
You should either override the error Page view or use custom error pages.
Take a look at Joomla's documentation.http://docs.joomla.org/Custom_error_pages
Nibra was totally right about breaking the mechanism but still using a readfile() seems as an overkill.
When you use modrewrite to rewrite your urls, when does the rewrite occur. Will the user be able to see the url before rewrite, when hovering over the link? When they hover over a link will their browser display the rewritten url or the url before it was modified with modrewrite?
The rewrite is done in the server so the user will never know,
PHP also doesn't know what link its pointing to only the script file
mod_rewrite acts on the server side, meaning that apache rewrites incoming URLs before responding to the request. Any HTML links you add to a page will point to the URL you entered, as mod_rewrite doesn't modify any outgoing data.
The rewrite occurs when Apache has parsed the request - before the PHP interpreter has been started.
The web-site has ssl certificate.
Any http page is redirected to the same, but https page (if not https) by .htaccess.
Everything works fine, but 404.shtml gets a security warning "This webpage contains content that will not be delivered using a secure HTTPS connection..." in IE. The same behavior is in any other browser.
How to exclude that error?
404.shtml web-page was created using web-hosting control panel wizard. The file 404.shtml was created automatically.
Most likely the automatically generated file includes links, images or other resources fetched via http. If you can change them to https links, you should avoid the problem. There's afaik no other way to make the browser not warn about this, at least in a cross browser way.
For SEO purposes. How do I force user gets redirected to mysite.com/index when types mysite.com on browser ?
I've tried Redirect / en/index
But I'm getting "Firefox has detected that the server is redirecting the request to this address in a way that will never end."
Also, can this redirection consired set language (php psession, cookies?)
p.s. xampp/windows
Redirect works on path prefixes. Redirect / … matches any path its prefix is / (so virtually any path). Use RedirectMatch instead:
RedirectMatch ^/$ /en/index
I believe the error you're getting from Firefox is because you're entering an infinite loop with this redirection. If you try to redirect to a page that doesn't exist, and your server is set up to redirect to a page that doesn't exist on 404, you'll enter a loop. So, ensure that your redirect is going somewhere significant. Does /index exist? Try redirecting to Google instead and see if you get the same error.
(My server knowledge is limited to goofing around while working on school projects, so take anything I say with a grain of salt)
This probably means you have an error in your redirect code. What Firefox is detecting is that the page are trying to view is redirecting you to itself. Without this protection it would just seem like the page wasn't loading.
If you are running windows on your workstation, I would recommend downloading Fiddler2. It will let you see the series of redirects that your server is sending.