13503

403 Forbidden when passing URL in GET variable

Question:

I am having a problem like this:<br /><a href="https://stackoverflow.com/questions/1089744/403-forbidden-on-php-page-called-with-url-encoded-in-a-get-parameter" rel="nofollow">403 Forbidden on PHP page called with url encoded in a $_GET parameter</a>

I am getting "403 forbidden" error When i pass a url as a GET variable like this

<pre class="lang-none prettyprint-override">http://script/test.php?url=https://stackoverflow.com/questions/ask

But this is ok.

<pre class="lang-none prettyprint-override">http://script/test.php?url=stackoverflow.com/questions/ask

And even if i urlencode the url it still gives me a 403.

<blockquote>

Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at ----- Port 80

</blockquote>

And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off in htaccess I get "500 Internal Server Error".

Code snippet:

$URL = mysql_real_escape_string($_GET['url']); mysql_query("INSERT INTO `url` ...");

So the question is, can I fix this without editing httpd.conf, because I don't have root privilege. Thanks

Answer1:

Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.

Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.

I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)

If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)

Answer2:

For me the solution to this issue was by getting my host (hostgator) to create an exception for mod_security on my site. mod_security's used for blacklisting certain types of operations, and it seems $_GET requests containing urls (<a href="http://www.etc" rel="nofollow">http://www.etc</a>) was one, for whatever reason. As stated by lunixbochs most hosts will be happy to sort it out for you.

Recommend

  • Split string in c
  • How can I strip these (â?²s) type of characters with PHP?
  • Is it possible to install Apache mod_security Amazon Elastic Beanstalk
  • Mod_rewrite and URL redirection - APACHE,Mod_rewrite,PHP,Codeigniter
  • jQuery change event not firing in IE when releasing mouse outside of multiple select
  • Modal window instead alert
  • how to resolve the conflict between jquery UI and Jquery mobile
  • Create domain with matrices in Chapel
  • Clojure Regex: If string is a URL, return string
  • Apache POI JDK version
  • Why are the compilation errors when loading Scala build files?
  • Property Editor not registered with the PropertyEditorManager: error on custom tag invokation
  • code works at jsfiddle but not on my site [closed]
  • Backbone not defined with require js
  • How to open Theme editor in android studio
  • Allure Framework: using @Step and @Attachment annotations with TestNG and Maven
  • How to list all the bucket types in riak?
  • Insert Pandas dataframe into Cassandra Table
  • Help with mod_rewrite
  • Removing the .php file extension from the URL Request
  • How to get google-services.json from Developer console?
  • How to check disabled jobs with Jenkins server?
  • Why does IE8 fail to resolve my JQuery selector for a checked radio option?
  • Unicorn and Rails eat up 2x MySQL connections
  • How to protect an asp:textbox from user input?
  • What is the reason that Policy.getPolicy() is considered as it will retain a static reference to the
  • CORS with socket.io
  • Prevent Tomcat from caching request during starup
  • Access Android Market through SSH tunnel
  • htaccess add www if not subdomain, if subdomain remove www
  • How to run “Deployd” on port 80 instead of port 5000 in webserver.
  • Magento Fatal error: Maximum execution error solution, on WAMP
  • Can Jackson SerializationFeature be overridden per field or class?
  • Resize panoramic image to fixed size
  • Volusion's generic SQL folder, functionality
  • How do you join a server to an Active Directory (domain)?
  • coudnt use logback because of log4j
  • Java static initializers and reflection
  • Android Google Maps API OnLocationChanged only called once
  • UserPrincipal.Current returns apppool on IIS