
Question:
I am having a problem like this:<br /><a href="https://stackoverflow.com/questions/1089744/403-forbidden-on-php-page-called-with-url-encoded-in-a-get-parameter" rel="nofollow">403 Forbidden on PHP page called with url encoded in a $_GET parameter</a>
I am getting "403 forbidden" error When i pass a url as a GET variable like this
<pre class="lang-none prettyprint-override">http://script/test.php?url=https://stackoverflow.com/questions/ask
But this is ok.
<pre class="lang-none prettyprint-override">http://script/test.php?url=stackoverflow.com/questions/ask
And even if i urlencode the url it still gives me a 403.
<blockquote>Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at ----- Port 80
</blockquote>And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off
in htaccess I get "500 Internal Server Error".
Code snippet:
$URL = mysql_real_escape_string($_GET['url']);
mysql_query("INSERT INTO `url` ...");
So the question is, can I fix this without editing httpd.conf, because I don't have root privilege. Thanks
Answer1:Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.
Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.
I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)
If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)
Answer2:For me the solution to this issue was by getting my host (hostgator) to create an exception for mod_security on my site. mod_security's used for blacklisting certain types of operations, and it seems $_GET requests containing urls (<a href="http://www.etc" rel="nofollow">http://www.etc</a>) was one, for whatever reason. As stated by lunixbochs most hosts will be happy to sort it out for you.