Deploying DVWA behind a reverse proxy with a prefix
adb014 opened this issue · 7 comments
I'm deploying DVWA behind a reverse proxy with an htdigest to allow a limited number of people access to it to play around. My problem is that my nginx proxy rewrites the prefix for DVWA and HTTP_X_FORWARDED_PREFIX is not taken into account during the redirects, this messes up the redirected page, for example when changing the security level. A simple patch
diff -u DVWA-2.3/dvwa/includes/dvwaPage.inc.php.orig DVWA-2.3/dvwa/includes/dvwaPage.inc.php
--- DVWA-2.3/dvwa/includes/dvwaPage.inc.php.orig 2023-10-24 20:52:21.853896655 +0200
+++ DVWA-2.3/dvwa/includes/dvwaPage.inc.php 2023-10-24 20:53:21.023468344 +0200
@@ -113,7 +113,7 @@
function dvwaPageReload() {
- dvwaRedirect( $_SERVER[ 'PHP_SELF' ] );
+ dvwaRedirect( $_SERVER[ 'HTTP_X_FORWARDED_PREFIX' ] . $_SERVER[ 'PHP_SELF' ] );
}
function dvwaCurrentUser() {
fixes this. As $_SERVER['HTTP_X_FORWARDED_PREFIX']
will not be set if DVWA is not behind a proxy, this change won't impact DVWA in normal use.
When HTTP_X_FORWARDED_PREFIX
isn't in the SERVER
hash, PHP will throw a warning about accessing an undefined key. You'll need to add some additional checking and only add it if it exists.
Will you accept a patch like that ? If so I'll propose something will the additional checking, something like
if ( array_key_exists( 'HTTP_X_FORWARDED_PREFIX' , $_SERVER ))
dvwaRedirect( $_SERVER[ 'HTTP_X_FORWARDED_PREFIX' ] . $_SERVER[ 'PHP_SELF' ] );
else
dvwaRedirect( $_SERVER[ 'PHP_SELF' ] );
Not sure if I can be bothered to clone the repo and do a pull request for such a simple change though
I'm deploying DVWA behind a reverse proxy with an htdigest to allow a limited number of people access to it to play around. My problem is that my nginx proxy rewrites the prefix for DVWA and HTTP_X_FORWARDED_PREFIX is not taken into account during the redirects, this messes up the redirected page, for example when changing the security level. A simple patch
diff -u DVWA-2.3/dvwa/includes/dvwaPage.inc.php.orig DVWA-2.3/dvwa/includes/dvwaPage.inc.php --- DVWA-2.3/dvwa/includes/dvwaPage.inc.php.orig 2023-10-24 20:52:21.853896655 +0200 +++ DVWA-2.3/dvwa/includes/dvwaPage.inc.php 2023-10-24 20:53:21.023468344 +0200 @@ -113,7 +113,7 @@ function dvwaPageReload() { - dvwaRedirect( $_SERVER[ 'PHP_SELF' ] ); + dvwaRedirect( $_SERVER[ 'HTTP_X_FORWARDED_PREFIX' ] . $_SERVER[ 'PHP_SELF' ] ); } function dvwaCurrentUser() {
fixes this. As
$_SERVER['HTTP_X_FORWARDED_PREFIX']
will not be set if DVWA is not behind a proxy, this change won't impact DVWA in normal use.
can you make a tutorial on how to set it on some virtual VM ? so I can access it anywhere? like on digitalocean ......etc ?
Please don't hijack other issues with your own questions, start your own.
Pull request accepted, closing