CSS is sometimes loading URLs relative to page - css

I see on MDN that relative URLs are relative to the css file, not to the current page.
I want to understand if there any exceptions or gotchas with using relative urls in CSS, as I can see in my access logs that some requests are using the wrong relative path.
Previous threads on here suggest there might be issues with old IE versions, but that doesn't seem to be what is causing this as the user agents here are modern.
The particularly annoying thing is that this doesn't affect all requests and I'm unable to reproduce the problem myself. I could just replace all the relative urls in my css with absolute and continue with my life but I want to understand what is causing this and discover if there is a better solution.
CSS file is loaded like <link rel="stylesheet" type="text/css" href="/static/css/common.min.css?v6" /> and in this
I have relative urls to images defined , e.g.
#go, #search_go {background: #EEE url(../img/silk/magnifier.png) no-repeat .4em .25em; padding-left: 1.8em;}
The CSS is minified using UglifyCSS but using Inspect element in my browser makes me think this is not the issue (also, of course it does work in the majority of requests).
An example of a bad request looks like
ip.ip.ip.ip - - [09/Jan/2022:20:22:20 +0000] "GET /foo/img/silk/magnifier.png HTTP/2.0" 404 1575 "https://example.com/foo/search/" "Mozilla/5.0 (Android 11; Mobile; rv:95.0) Gecko/95.0 Firefox/95.0"
An example of a 'good' request looks like
ip.ip.ip.ip - - [09/Jan/2022:21:07:32 +0000] "GET /static/img/silk/magnifier.png HTTP/2.0" 200 615 "https://example.com/foo/search/" "Mozilla/5.0 (iPhone; CPU iPhone OS 15_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Mobile/15E148 Safari/604.1"
To note this is not just affecting a single browser, some other user agents which show up in the access logs with "bad" requests are
"Mozilla/5.0 (Android 11; Mobile; rv:95.0) Gecko/95.0 Firefox/95.0"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"```

Related

Wordpress site gets infected with malware, random POST requests from hackers return 200 results, trying to understand how this happens

A word press site i maintain, gets infected with .ico extension PHP scripts and their invocation links. I periodically remove them. Now i have written a cron job to find and remove them every minute. I am trying to find the source of this hack. I have closed all the back doors as far as i know ( FTP, DB users etc..).
After reading similar questions and looking at https://perishablepress.com/protect-post-requests/, now i think this could be because of malware POST requests. Monitoring the access log i see plenty of POST requests that fail with 40X response. But i also see requests that succeed which should not. Example one below, first request fails, similar POST Requests succeeds with 200 response few hours later.
I tried duplicating a similar request from https://www.askapache.com/online-tools/http-headers-tool/, but that fails with 40X response. Help me understand this behavior. Thanks.
POST Fails as expected
146.185.253.165 - - [08/Dec/2019:04:49:13 -0700] "POST / HTTP/1.1" 403 134 "http://website.com/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) RockMelt/0.9.58.494 Chrome/11.0.696.71 Safari/534.24" website.com
Few hours later same post succeeds
146.185.253.165 - - [08/Dec/2019:08:55:39 -0700] "POST / HTTP/1.1" 200 33827 "http://website.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.861.0 Safari/535.2" website.com
146.185.253.167 - - [08/Dec/2019:08:55:42 -0700] "POST / HTTP/1.1" 200 33827 "http://website.com/" "Mozilla/5.0 (Windows NT 5.1)

A spam site is forwarding my site and showing add at the end of it

I made a new website with Wordpress which is http://drfarzin.net I randomly was googling my site that i saw another domain is presenting my site http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8=! plus it has an advertisement at the end of it.
here is the steps i did to prevent this spam but it didn't succeed:
saw my log file while requesting to http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8=
which was {5.78.123.116, 162.158.89.204 - -
[08/Apr/2016:04:32:46 -0400] "GET / HTTP/1.1" 200 39199 "http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8=" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
- - -
[08/Apr/2016:04:32:46 -0400] "GET / HTTP/1.0" 200 25733 "-" "-"
5.78.123.116, 162.158.89.204 - -
[08/Apr/2016:04:32:47 -0400] "GET /wp-admin/admin.php?page=stats&noheader&proxy&chart=admin-bar-hours-scale-2x HTTP/1.1" 200 613 "http://drfarzin.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
}
pinging http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8= then block its ip in cloudflare and wordfence (wordpress plugin)
**the odd part that i dont undrestand is while you brows in to http://upciran.ir/web/aHR0cDovL2RyZmFyemluLm5ldC8= , its url will not be changed **
It's loaded from iframe...
You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top and self, if they're not identical, you are in a frame.
Additionally, some modern browsers respect the X-FRAME-OPTIONS header, that can have two values:
DENY – prevents the page from being rendered if it is contained in a frame
SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.
Users include Google's Picasa, that cannot be embedded in a frame.
Browsers that support the header, with the minimum version:
IE8 and IE9
Opera 10.50
Safari 4
Chrome 4.1.249.1042
Firefox 3.6.9 (older versions with NoScript)
EXAMPLE:
if(top!=self){
top.location.replace(document.location);
alert("For security reasons, framing is not allowed; click OK to remove the frames.")
}

Illegal characters in path depending on User-Agent?

I have two identical calls to ASP.NET, the only difference is the User-Agent. I used Fiddler to reproduce the issue.
The HTTP request line is:
PUT http://localhost/API/es/us/havana/club/tickets/JiWOUUMxukGVWwVXQnjgfw%7C%7C214 HTTP/1.1
Works with:
User-Agent: Mozilla/5.0 (Linux; Android 4.3; Nexus 10 Build/JSS15Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2307.2 Safari/537.36
Fails with:
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Everything else is 100% the same.
In my case, the root cause was MVC's MultipleViews and DisplayMode providers. This allows MVC apps to magically pick up device-specific views; e.g.
custom.cshtml
customer.mobile.cshtml
This article has a good explanation of the functionality as well as details how to turn it off:
https://learn.microsoft.com/en-us/archive/msdn-magazine/2013/august/cutting-edge-creating-mobile-optimized-views-in-asp-net-mvc-4-part-2-using-wurfl
I fixed this by adding Microsoft.AspNet.WebPages package to my project and adding a call to this code in my startup (application_start in global.asax or if using OWIN, the method decordated w/ OwinStartup attribute):
public static void RegisterDisplayModes()
{
// MVC has handy helper to find device-specfic views. Ain't no body got time for that.
dynamic modeDesktop = new DefaultDisplayMode("") { ContextCondition = (c => { return true; }) };
dynamic displayModes = DisplayModeProvider.Instance.Modes;
displayModes.Clear();
displayModes.Add(modeDesktop);
}

Cannot upload image to wordpress (nginx+varnish+apache)

I'm running two servers.
One is a gateway running nginx for dispatching requests for different domains to different servers.
The other one is the the server for my WordPress installation.
I'm using Varnish in front of Apache to do caching stuffs (only caching, no load balancing). I've turned off KeepAlive and set Timeout to 20 seconds for Apache.
Now I'm uploading an image of size 160KB and it fails, while my server configuration allows a maximum size of 20MB. After I submit the upload form in WordPress, I can see from the status line of my browser that the file is uploaded several times (mostly 2 or 3). When I use the asynch uploading plugin of WordPress, I can also see the progress bar growing from 0% to 100% and over and over again, until it fails.
When it fails, it stucks at the path /wp-admin/media-upload.php?inline=&upload-page-form= and Chrome says "Error 101 (net::ERR_CONNECTION_RESET): The connection was reset." I've tried Firefox, exactly the same.
I cannot see anything relevant in the error logs of Varnish and Apache. However, I do see mutiple lines of the following log in the access log of nginx:
220.255.1.18 - - [01/Jan/2013:12:16:36 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
220.255.1.29 - - [01/Jan/2013:12:16:41 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
220.255.1.23 - - [01/Jan/2013:12:16:51 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
220.255.1.26 - - [01/Jan/2013:12:17:03 +0800] "POST /wp-admin/media-upload.php?inline=&upload-page-form= HTTP/1.1" 400 0 "http://MY-DOMAIN/wp-admin/media-new.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
So what's the problem? How can I fix it?

CSS3 - Multiple backgrounds sometimes causes 404 errors

I'm using the CSS3 ability to apply multiple background images to an element. Currently, I have this code in my stylesheet:
body{background:url("images/emblem.png") top center no-repeat, url("images/background.png");background-color:#EAE6D9}
The code works in all browsers that support it. And those that it doesn't defaults down to the background-color.
However, watching the access log files for the site, I'm noticing 404 errors pop up for, what looks to be, a malformed request based on this CSS initiative. The funny thing is, they are coming from someone using Firefox 5. I'm using Firefox 5 and I cannot get an error to show up in the log for my IP.
Here's the error line from the log:
10.21.7.246 - - [28/Jun/2011:12:02:01 -0500] "GET /templates/images/emblem.png%22),%20url(%22http://ulabs.illinoisstate.edu/templates/images/background.png HTTP/1.1" 404 1005 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
I have a feeling the problem is coming from the fact that the " and the space is being URL encoded, but I'm definitely not doing that. And it doesn't happen all the time. Looking at requests from my IP address, the request is properly split up.
10.1.8.129 - - [28/Jun/2011:12:29:33 -0500] "GET /templates/images/background.png HTTP/1.1" 304 - "http://ulabs.illinoisstate.edu/templates/style.1308848695.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
10.1.8.129 - - [28/Jun/2011:12:29:33 -0500] "GET /templates/images/emblem.png HTTP/1.1" 304 - "http://ulabs.illinoisstate.edu/templates/style.1308848695.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
Has anyone experienced this behavior before? Or have any ideas on what I might try to resolve the issue?
We've discovered it's YSlow causing the error to be generated. When running YSlow, the error would appear in the log immediately for that IP address. Since this really isn't really a problem, luckily there's nothing we need to fix on our end.

Resources