SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot
    Join Date
    Oct 2009
    Posts
    141
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Strange 403 Forbidden error

    I've just discovered a very strange Forbidden error my server is returning when I submit a form. If any of the fields contain "http://" , the server returns a 403 Forbidden error. I really can't understand this? Any help will be greatly appreciated!
    -------------------------------
    http://www.divinglogs.net
    The free online diving community

  2. #2
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Check your folder / file permissions.

  3. #3
    SitePoint Zealot
    Join Date
    Oct 2009
    Posts
    141
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The thing is there is no problem until any one of the form fields contains "http://". "htpt://" works fine as well. When would a file/folder permission be that might involve such a thing?

    My .htaccess file contains the following:
    Code:
    #Options -Indexes
    Options +FollowSymlinks
    ErrorDocument 404 /404.php
    
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>
    I had denied folder file listings, but I commented that out any I still got the same error.
    -------------------------------
    http://www.divinglogs.net
    The free online diving community

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    ben,

    Does the line "deny from all" in either of your limit directive mean anything to you? Frankly, you don't need either of the limit blocks.

    For that matter, I'd uncomment the -Indexes line and delete the +FollowSymLinks (but only because that would be in the httpd.conf or apache.conf file).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Zealot
    Join Date
    Oct 2009
    Posts
    141
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi

    The limit part is put in by my host I'm guessing, as it has always been there. I thought it probably didn't mean much so I just left it there. Have removed it now along with your other suggestions, but this still does not solve my problem.

    I've done a couple of tests to try isolate the problem, and it definitely seems that the server is throwing this error if and only if any of the form fields contains the text "http://" . I've tried submitting the form to other pages and i get the same error. Also, this only happens when "http://" are the first characters of the form field.

    What could possibly be causing this?
    -------------------------------
    http://www.divinglogs.net
    The free online diving community

  6. #6
    Founder of Primal Skill Ltd. feketegy's Avatar
    Join Date
    Aug 2006
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean by http:// form field?

    Paste the HTML code of your form

  7. #7
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Presumably, the "http://" in the "form field" is in the value for the action - and that should not cause a problem (with the GET block removed).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  8. #8
    SitePoint Zealot
    Join Date
    Oct 2009
    Posts
    141
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi

    Sorry, I wasn't very clear. The "http://" was the value of a form field, ie. if a user typed "http://www.mysite.com" in a text box and submitted the form. I found another similar error with another phrase so I took it up with my host, and apparently it's due to a mod_security rule for added site security to prevent sql injection attacks. I've had that lifted now though so it has solved the problem.

    Thanks for all the help though, greatly appreciated!
    -------------------------------
    http://www.divinglogs.net
    The free online diving community

  9. #9
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,607
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Oh, okay, ben, but I've been faced with that same situation and, knowing that a value is a URL, I never add/allow the protocol to be passed as it's illegal in a URI (http://www.ietf.org/rfc/rfc2396.txt - Uniform Resource Identifiers Generic Syntax). IMHO, strip the protocol (http(s):// or mailto://) before sending your form off to be processed.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •