I am getting the below security warning in the scan report with a laravel project built in version 5.2.45.
URL rewrite vulnerability
Below is the description.
It was identified that this application supports the legacy headers X-Original-URL and/or X-Rewrite-URL.Support for these headers lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header and allows a user to access one URL but have web application return a different one which can bypass restrictions on higher level caches and web servers. Many web frameworks such as Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 , zend-diactoros up to 1.8.4, zend-http up to 2.8.1, zend-feed up to 2.10.3 are affected by this security issue.
Any suggestions on how to fix this will be much appreciated.
Maybe "composer update" after setting the new value in composer.json?
"laravel/framework": "5.3.*",
As documented here: https://laravel.com/docs/5.3/upgrade
Got the Fix. Added below code to the root htaccess file.
<IfModule mod_headers.c>
RequestHeader unset X-Original-URL
RequestHeader unset X-Rewrite-URL
</IfModule>
Related
I need to perform the following configuration on my Apache server, version 2.4, with CentOS system.
The instructions I received are as follows:
Configuring Another Web Server to Serve the Files If another web
server is using port 80 on the same server as Centova Cast, you will
need to use this method.
This method depends upon your knowledge of the other web server you
are using; you must be familiar enough with your web server of choice
to configure it appropriately. Centova Technologies cannot provide
support or assistance with any changes to your web server's
configuration.
To allow "Let's Encrypt" to validate your domain ownership, you must
configure your web server such that any requests for files under the
following URI (replacing example.com with your own domain name):
http://example.com/.well-known/acme-challenge/ ...are configured to
serve files from the following directory:
/usr/local/centovacast/etc/ssl/acme-challenges/ So for example, if you
create a file called
/usr/local/centovacast/etc/ssl/acme-challenges/test.txt, you should be
able to visit http://example.com/.well-known/acme-challenge/test.txt
in your browser and see the contents of the test.txt file.
A few example configurations are provided below. Please note, however,
that differences in your web server configuration may require
additional settings not mentioned here.
Example apache:
Alias /.well-known/acme-challenge /usr/local/centovacast/etc/ssl/acme-challenges
<Directory /usr/local/centovacast/etc/ssl/acme-challenges>
Options None
AllowOverride None
Apache 2.x
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
Apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
I've tried everything and I can't get it to work, how should the correct configuration be done?
My configuration file is located at: /etc/httpd/conf/httpd.conf
In the default .htaccess in Magento 2.2.2 there are in 2 of the things like below:
<Files cron.php>
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
</Files>
There are someting about 20 of these for some files (eg. composer.json, composer.lock, .gitignore, etc)
When updating magento i gave a lot of errors, when i remove them out of the htaccess the problem was gone.
Wij are this versionchecks there, wat do the do and what can happen when i remove them?
I faced the same problem on Centos(Cpanel) Apache 2.4. The issue was resolved by enabling the mod_version module for Apache.
Earlier versions of Magento do not have support for Apache version >=2.4. I used to replace order allow,deny and deny from all lines with Require all denied in htaccess files manually to resolve the issue.
From the Magento 2.2.2 version, code is changed to support apache version >= 2.4 also. ( https://github.com/magento/magento2/pull/11459/files )
As per the info you have mentioned, I inferred that your Apache version is < 2.4 , rather than editing all 24 files, you can load mod_version.
You have to load version moudle from apache configuration file as below.
LoadModule version_module /usr/lib64/apache2/mod_version.so
otherwise you may get "Internal server error".
This is apache versioning.
You can get more details from the above GitHub link
https://github.com/magento/magento2/issues/10810
These changes are made as per security prospect to improve the direct file access algorithm.
I actually set up vhost with apache2 and i've a problem with the hardening of my vhost; the apache version and server OS is displayed in the header.
When i use the main server link, the version is hidden.
Help please.
Thanks.
You can hide the Server version like so:
ServerSignature Off
ServerTokens Prod
You will need to edit your .htaccess file or the main httpd.conf file.
use prod as server token
https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
set server signature to off
https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
hth
I am using express 4.x with node 4.4.3. The web server is nginx and I am running a http server module in node - for which I am using nginx as a reverse proxy (using 'upstream'). I see the below response header when I inspect it in browser console
x-content-type-options: nosniff
I have thoroughly checked my nginx conf file for this setting / header but it isn't there. Wonder if I could get some pointers as to where it might be coming from? And when I add add_header X-Content-Type-Options nosniff; in nginx.conf then I see the above appear twice in the reponse headers as shown below
X-Content-Type-Options:nosniff
X-Content-Type-Options:nosniff
Wonder what's causing this. Please let me know if any further information is needed. Thanks
Here's my node installed modules folder contents
This is probably coming from a package installed in your express application. You should check the package.json file. Look for the dependencies part listing all the packages installed.
Helmet is typically one of the packages adding the X-Content-Type-Options:nosniff header.
Edit: according to your list of dependencies the most probable solution is that you return 'jsonp' content with Express. In this case Express will add the X-Content-Type-Options header when no Content-Type header is set by the user (see the response.js file at line 289 in node_modules/express/lib).
It could also come from one or another dependency used by Express like 'finalhandler', 'send' or 'serve-static' (see there for Express' dependencies list) but it is hard to be sure without debugging your whole application.
I am using hostgator web server to host my website. To use php 5.3 on my webserver I need to edit my .htaccess as
AddType application/x-httpd-php53 .php
I was just wondering if doing so will affect performance of webserver. Should I use there default version 5.2 or continue using 5.3 using rewrite.