I have a PHP CMS which has setting section for the webstie. On these settings, it receives script codes automatically and then replaces into templates directly.
The problem is that when the setting section is sent with Ajax for process, on the modsecurity server it blocks the post request with 403 error, because of the existence of script code on request data.
We can solve this issue with the code bellow on htaccess, but it deactivates the mod security which is not make sense:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
If anyone have solution for this issue that I could post the modification script to ajax without request blockage?
Is it possible to put those scripts on data with coding them?
DATA example :
stats: <img id='apfurgvizp' style='cursor:pointer' onclick='window.open("https://logo.samandehi.ir/Verify.aspx?id=539&p=dshwxlapfvl", "Popup","toolbar=no, scrollbars=no, location=no, statusbar=no, menubar=no, resizable=0, width=450, height=630, top=60")' alt='logo-samandehi' src='https://logo.samandehi.ir/logo.aspx?id=539&p=ujyshwlbsiy'/>
ERORR on send Ajax request :
403 Forbidden Error
Server specifications :
Centos 7 Cloud Linux
CSF
CXS
modsecurity
CMS specifications :
pure PHP
OOP
yes, disable entire mod_sec probably doesn't make much sense , but disable the single rule that cause the false-positive alert is.
you can use
<IfModule mod_security.c>
SecRuleRemoveById 1234567
</IfModule>
to disable that particular rule that cause the 403.
Related
I have a simple custom MVC app using $_GET to parse a url, and i've got it working on my dev server as well as a few different webhosts using php 7.1... but I'm trying to use x10hosting's free lamp hosting and the data being passed from $_GET is coming through as 403...
I've proved that it works on other servers as well as my own dev server with this
echo '<pre>', $route->path, $_GET['url'], '</pre>';
when going to the url http://app/admin... this line in my loop gives me what should be expected...
/admin
adminadmin
but on x10's server i get this
/403.shtml
admin403.shtml
I have tried encoding to base64 with urlencode($_GET) as well as disabling mod_sec in the .htaccess with
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
neither solution worked... I'm almost certain it's a server config issue but access is pretty much limited to .htaccess and php.ini .... I haven't touched php or apache in a while and am a little lost... any help would be greatly appreciated
This does sound like a mod_security type issue. And, as you have found, you are unable to disable mod_security on the free hosting platform.
I have encountered mod_sec rules on a number of shared hosts that simply block the request based on certain parameter names (supposedly blocking common XSS attempts). url is a common one. site is another. Simply changing the parameter name might be all that's required.
"Free" hosting accounts are always going to have some restrictions. If this is the only thing that holds you back then you are lucky.
I have some existing PHP code on my server. Now I want log-in complete information about requests that come to my server. I don't want to make any changes to existing code. I am using apache mod_rewrite for this. I have a sample php script,stats.php which looks something like this
<?php
/*NOTE:This is peseudo code!!!*/
open database connection
add serverinfo, referer info, script_name, arguments info to database
change characters in request from UTF16 to UTF 8.
//Call header function for redirection
$str = Location : $_SERVER["REQUEST_URI"]
header ("$str");
?>
In httpd.conf file
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/stats\.php
RewriteCond %{REQUEST_URI} !\/favicon\.php
RewriteRule ^/(.*)$ /stats.php?$1 [L]
RewriteLog "logs/error_log"
RewriteLogLevel 3
</IfModule>
The problem is, I am afraid this may not be best from SEO perspective and also may be buggy. Are there any better ways to do this? For example, can I use a script to the access_log file?
Say for example, if you go to http://your-domain.com/some-page.html, you'll get a loop:
Browser contacts server with request URI /some-page.html
mod_rewrite rewrites the URI to /stats.php?some-page.html
The stats.php does its thing, then redirects the browser to /some-page.html
Browser contacts server with request URI /some-page.html
repeat starting at #2
What you need to do instead of responding with the Location: header is read the contents of the some-page.html file and return that to the browser, essentially "proxying" the request for the browser. The browser therefore doesn't get redirected.
As for how to do that in php, there's plenty of google results or even plenty of answers on Stack Overflow.
I figured what I should do. I did the following
1) Add a custom logformat to httpd.conf file.
2) Added a customLog dirctive. Piped the output to stats.php.
3) stats.php takes care of adding the code to database.
My page showing error forbidden access error, when I post some html and javascript mixed data by other page post method .
but when I open that page directly its appears correctly without any error.
I know this is server security related issue when I am posting data.
As I searched I found the solution of Turn off mod_security in .htaccess file .
But I want to do this just for this page not for my complete website.
My hosing environment is shared.but I can edit my .htaccess file.
Take a look at some mod_security and .htaccess tricks. There's a lot of different ways you can enable or disable mod_sceurity. The easiest may be to set the MODSEC_ENABLE environment variable to On or Off. You can use SetEnvIf to match against a number of things including the Request_URI:
SetEnvIf Request_URI your_page\.php$ MODSEC_ENABLE=Off
Or a number of pages:
SetEnvIf Request_URI ^/directory/file.*\.php$ MODSEC_ENABLE=Off
Or if you need to do something more complicated, like matching against a query string, using mod_rewrite:
RewriteEngine On
RewriteCond %{QUERY_STRING} example_param=example_value [NC]
RewriteRule ^path/your_file\.php$ - [E=MODSEC_ENABLE:Off]
Do you have the OWASP Core Rule set enabled? Check your Apache error log to see which rule is matching. You may find that it's blocking some of your legitimate users on other pages as well. Talk to your hosting provider about what rule set they are using and what they are doing about false positives.
To solve your immediate problem, you can prevent a URI from being blocked by adding a new SecRule (and you can do this in your .htaccess file.
SecRule REQUEST_URI "/your/uri" "phase:1,pass"
To limit this to POST requests, you could use REQUEST_LINE:
SecRule REQUEST_LINE "POST /your/uri" "phase:1,pass"
Depending on what rule is matching and blocking the request currently, you may have to change those to phase:2 or even add a second, identical rule with phase:2.
I have always understood (unless im mistaken) that Apache's modrewrite engine requires
Options +FollowSymLinks
in order to work.
We have used modrewrite to hide the .php extension in addresses on a particular system in order to not reveal the chosen technology - PHP. We understand that one can still learn the server technology but you'd at least need to know how web servers work etc.
The problem is, the server tech's have brought up the risk in using +FollowSymLinks which i completely understand and agree with.
https://serverfault.com/questions/195570/htaccess-security
Aaron Copley: Symlinks aren't necessarily bad but you have to have a clear understanding of your implementation of Apache. To a non-chrooted
Apache, symlinks certainly pose a significant risk to exposing files
outside of your document root.
At the moment the system parses REQUEST_URI as such:
All rewrite rules are written to index.php
URL domain.com/request
REQUEST_URI = /request (trimmed as "request")
Using PHP switch () we check case 'request' : inlclude xyz.php;
exit;
This is a fairly common technique, but how would i implement the same result without the need for +FollowSymLinks and without having to go through every script in the system and change navigation links?
modrewrite will also work if you enable the following:
Options +SymlinksIfOwnerMatch
This causes Apache to check the owner of the link and the target, and only follows the link if the owners match.
Perhaps your server guys would accept that as a reduced risk?
More info here: http://onlamp.com/pub/a/apache/2004/02/19/apache_ckbk.html
The Apache documentation states
If your administrator has disabled override of FollowSymLinks for a user's directory, then you cannot use the rewrite engine. This restriction is required for security reasons.
Check this link:
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
Ok I know im answering my own question, but im going out on a limb...
I should probably have mentioned before that the site will NOT be public as it is an administrative system so we don't care about search engines
Would i be able to do this instead of the existing implemented modrewrite:
.htaccess file:
ErrorDocument 404 /index.php
index.php
header("Status: 200 OK");
header("HTTP/1.0 200 OK");
I know this is messy, but we do not have time and the server tech guys will not budge, the $_SERVER['REQUEST_URI'] should still contain the same info???
Please feel free to comment and down/upvote, but please remember i know this is extremely cowboy and it's merely a temporary workaround
Important Note
POST requests do NOT work this way because Apache redirects to index.php (losing the POST data) you could still use GET info
So, we've got PHP 5.3.2 installed on a Windows 2008 R2 Server. PHP.ini file is loaded, everything looks good on that end. We are also running IIS 7.5 and ISAPI_Rewrite. We have a PHP-based CMS installed and it runs dandy.
The problem lies with posting variables. Example:
We have a contact page: http://example.com/contact with a form that posts the variables on submit via PHP.
But then, when a user submits the form, it seems as if any page with variables POSTed (like this one) end up returning a 500 error.
EDIT I have another idea: Not sure whether it could have to do with the .htaccess files. This server gives 500 errors for, like, everything.
The CMS we're using passes everything through an index.php file, so our .htaccess file takes index.php out of the url so that urls are clean.
RewriteEngine on
RewriteCond $1 !^(images|documents|admin|themes|favicon\.ico|robots\.txt|index\.php) [NC]
RewriteRule ^(.*)$ /index.php/$1 [L]
The headers for the posted-to page are as follows:
Request URL:http://domain.com/
Request Method:POST
Status Code:500 Internal Server Error
**Request Headers**
Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png;q=0.5
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Content-Type:application/x-www-form-urlencoded
I could be way off here, but is there some sort of regex or setting I missed in IIS that any .php file with post variables is just not assigned to get picked up by PHP?
*EDITS / UPDATES *
I RDC'd into the computer to test, and also turned on Detailed error reporting.
The website, with clean URLs, works fine until submitting a form.
Server error: HTTP Error 500.0 - Internal Server Error
The FastCGI process exceeded configured activity timeout (it took a while)
Handler: PHP5
And then in the logs:
2011-01-12 16:57:56 10.64.181.170 POST /index.php/ - 80 - 10.64.181.170 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1; +WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727; +.NET4.0C;+.NET4.0E) 500 0 258 82850
--Steph
I encountered this today on a customer website.
This customer was using UMBRACO as their CMS and had a large web.config file in the root of the site.
My background is in Linux rather than Windows, however after randomly shotgun-removing lines from the web.config, I discovered the problematic line was something like:
<trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
If you are still having this problem, check to see if you have a web.config in the root of the site with a line similar to this in it. Commenting it out seemed to do the trick, I'm not sure what it is used for.
IIS does not natively support .htaccess files and rewrite rules. To work around that you need to:
Install URL Rewrite for IIS
In IIS manager for your site double-click URL Rewrite
Click Import Rules
Locate your .htaccess file on the disk
Click Import
Review and click Apply
IIS rewrite rules will get saved as web.config XML file. Conversion works out-of-the-box for most rewrite rules.