I have two CentOS8 servers running Apache with MOD_PHP. We've discovered appending a slash to the end of urls changes the base-uri within the scripts creating an XSS vulnerability.
For example http://myserver.com/Login.php/ or http://myserver.com/Login.php/extra_stuff/ causes the base-uri for relative links and images to be incorrect. If extra_stuff contains javascript, you can potentially change content on the page.
How do I stop Apache from treating PHP scripts like a directory if they have a trailing slash and return a 404? I'd rather not have to edit every single page to add a tag.
What confuses me is why the below Apache config is matching a PHP script with a trailing slash and extraneous characters when it doesn't really exist, and sending it on the the handler.
FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>
As @CBroe explains in a comment:
I don’t see how this would create any vulnerability though, unless you actively output the request URL path somewhere. Just because the URL is
http://myserver.com/Login.php/extra_stuff/and that implicitly is the base URL all relative URLs will get resolved against, does not mean any JavaScript code in there would get executed. When you insert the URL into the document without any treatment and consideration, then this can of course be an XSS issue.
AcceptPathInfo explains the behavior. The vendors code did indeed have lots of unsanitized uses of $_Server["PHP_SELF"] that I have corrected.