: 404 page echoing request URI - security risk? I just noticed the default 404 page on one of my hosting accounts displays the requested URI. <!--#echo var="REQUEST_URI" --> I faintly
I just noticed the default 404 page on one of my hosting accounts displays the requested URI.
<!--#echo var="REQUEST_URI" -->
I faintly remember hearing or reading that this is a potential vulnerability of some sort. However, it's hard to believe that a hosting provider would include this in their default 404 page if it was. So, is this a vulnerability or not?
More posts by @Looi9037786
4 Comments
Sorted by latest first Latest Oldest Best
So long as the REQUEST_URI is HTML Encoded there is absolutely no risk in displaying it.
Infact, it is generally good practice if the 404 page redirects to show the originally request URL so that the user can see exactly what they entered. This helps them to see if they made an obvious typo. This is the reason why so many default 404 pages do show this - it aids the user.
Echoing the failed URI may enable an XSS attack (it depends on your site) as the URL could be constructed so that a piece of JavaScript is injected and runs on your site. As such this injected JavaScript would have access to the users cookies and if he was logged in it could be used to gain his private information in your system.
As long as the URI is sanitized (not allowed to include < or > for example) this should be fine.
You can test this with the following URI:
/doesnotexist/"--><script language="javascript">alert("hello world")</script>
It may need some tweaking to work (assuming it can be made to work)
Any information that you don't want people to see is a security risk, my advice would be to never use default 404's not only do they look ugly and provide very little functionality but they can as you are asking cause security concerns.
Have a look at this site - www.smashingmagazine.com/2007/08/17/404-error-pages-reloaded/ for ideas on what you could do with a 404.
However, it's hard to believe that a
hosting provider would include this in
their default 404 page if it was
Don't be so sure - I was with a very reputable host (or so I thought) who got hacked due to an unpatched vulerability and every single site on the host was deleted by the hacker. Their response - roll back to the last backup (72 hours old) and hope nobody notices.
That said, there have been 404 XSS attacks in the past but they usually only affect a single piece of software, not an entire system. I don't know how including the URI would affect such an attack though.
The ONLY thing I can think of, is if your web host was really poor, and I requested /gimma404.html?'); DELETE * FROM Users; -- and somehow the RequestURI was logged into a database and not escaped then you could have an SQL Injection attack.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.