I am testing the security of my website. I am using the following URL to load a PHP page in my website, on localhost:
http://localhost/domain/user/index.php/apple.php
When I do this, the page is not loading normally; Instead the images, icons used in the page simply vanish/disappear from the page. Only text appears. And also on any link I click on this page, it brings me to this same page again without navigating to the required page. So if I have hyperlinks to other pages, such as “SEARCH”, which points to search.php, instead of navigating to the search.php page, it refreshes the index.php page and just appends the page name of the destination page to the end of the URL.
For example, say I used the link above. It then loads the index.php page minus the images at it’s will. When I click on the “Search” link to navigate to the search page, I see the following in the URL:
http://localhost/domain/user/index.php/search.php
I have a redirection configured to a 404 error page in my .htaccess file, but the page does not redirect to the 404 error page. Notice the search.php towards the end of the URL above. Any other link that I click, reloads the index.php page and just appends the destination page name to the end of the URL like I have shown above.
I was expecting to see a 404 Error but that does not happen. The URL should not even be able to load the page because I do NOT have a “index.php” folder in my website.
What can I do to solve this? All help is appreciated.
Update:
The security concern is that users being able to see a non-existing page (which is quite misleading) like http://localhost/domain/user/index.php/apple.php especially when it does not exists. This makes me feel that this is going to open doors for hackers to exploit the website and compromise its integrity. Can this happen in such a case? I want users to see a 404 error page and any I am willing to any change needed in .htaccess file to accommodate this.
Can you suggest me of some code that I can add to my .htaccess file to accomplish this?
Thank you.
EDIT1:
Here are the contents of my .htaccess files. I have 2 of them. One in domain root and the other in ‘user’ folder/directory.
/*.htaccess in domain root*/
ErrorDocument 404 /domain/404.php
/*.htaccess in user folder*/
ErrorDocument 404 /domain/user/404.php
EDIT2:
@Pekka Thanks for the link. I added the following code in the .htaccess file (within the user directory)
<Files "mypaths.php">
Options +Includes
SetOutputFilter INCLUDES
AcceptPathInfo Off
</Files>
But still this does not show me the 404 page. Sorry, I am very novice with the .htaccess. Hope you will be able to tell me what I am wrong. Thanks.
The behaviour of why this loads a page:
is easily explained. The request is passed to
index.php, withapple.phpbeing in the$_SERVER["PATH_INFO"]variable.So you are in the
/userdirectory as far as the server and the PHP script are concerned.This is also why no 404 turns up:
index.phpis always found, no matter which file you specify as the last file.The browser, however, interprets
index.phpnot as a file, but as the parent directory ofapple.php.Therefore, every relative link you put on the page, say to
contact.phpis fetched like this:which obviously won’t work.
What you may want to do is use absolute paths in images and links, but either way, this is of no concern to security whatsoever.
As a side note, this whole phenomenon is sometimes used to create search engine friendly URLs without having to use
mod_rewritemodule.You can turn this behaviour off using the
AcceptPathInfodirective.