Thread

Hello,

when I try to access a site with the following URL:

<a href="http://host/phorum/plugin/replace/plugin.php?PHORUM">http://host/phorum/plugin/replace/plugin.php?PHORUM</a>

  it produces a 404 error which is expected.

However, when trying to access this URL:

<a href="http://host/phorum/plugin/replace/plugin.php?PHORUM&#91settings_dir&#93=../../../../../../../proc/self/environ">http://host/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=../../../../../../../proc/self/environ</a>

which is typical when being hit by someone scanning the website for vulnerabilities, I instead get this error: Invalid GET Data - Array

Is there a way EE can return a 404 or 403 response, instead of a 200 response? 

Thanks!

Hi Favio,

Not currently, but you make a good point.  I’ve added this into our internal tracker as a desired feature- because it is and it’s one that should be a quick addition for the dev team.  Currently, however, there isn’t a good way to do it natively.

Any update on status here?

Thanks for the reminder to double check, Kayaker392.  As per this Bug Report we added 503 headers in a number of spots for the upcoming 2.5 release.  I just checked and made sure they’re in for the ‘Disallowed GET’ exit in EE_Input as well.

Which is to say- it’s still an issue in 2.4, but should be good in upcoming 2.5.

Great, thanks!!