I'm using .htaccess mod_rewrite
to convert a nice URL, and using a php variable page
to send the url portion to index.php
where rest of the processing is done.
RewriteRule ^([a-zA-Z0-9-_/]+)$ index.php?page=$1 [QSA,L]
Now, if some malicious user passes the page
variable via query string, it gets accepted. For example, if the user calls http://mysite.com/login?page=registration
instead of loading the login
page, user specified registration
page gets loaded.
Any idea how to fix it within the htaccess
file?
I've looked for answers for the same thing myself and I'm pretty sure there is no solution to it. The only solution I've come up with is to replace page
with some arbitrary "key" instead, like 98198bs129387b13
. Thus, they would have to know the key. But make no mistake, this is security through obscurity... and having proper checks in index.php is still necessary (and it is regardless).
if the user calls http://mysite.com/login?page=registration instead of loading the login page, user specified registration page gets loaded.
You can't fix this using mod_rewrite - after all, what's to stop the attacker from entering
domain.com/registration
instead?
You need to make sure that unauthorized users can never access pages they're not supposed to access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.