I am having a problem like this:
403 Forbidden on PHP page called with url encoded in a $_GET parameter
I am getting "403 forbidden" error
When i pass a url as a GET variable like this
http://script/test.php?url=https://stackoverflow.com/questions/ask
But this is ok.
http://script/test.php?url=stackoverflow.com/questions/ask
And even if i urlencode the url it still gives me a 403.
Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at ----- Port 80
And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off in htaccess I get "500 Internal Server Error".
Code snippet:
$URL = mysql_real_escape_string($_GET['url']);
mysql_query("INSERT INTO `url` ...");
So the question is, can I fix this without editing httpd.conf, because I don't have root privilege.
Thanks
Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.
Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.
I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)
If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)
For me the solution to this issue was by getting my host (hostgator) to create an exception for mod_security on my site. mod_security's used for blacklisting certain types of operations, and it seems $_GET requests containing urls (http://www.etc) was one, for whatever reason. As stated by lunixbochs most hosts will be happy to sort it out for you.
Related
I'm using PHP-FPM to host one of busy websites. I serve all php and html pages through PHP-FPM proxy. For 500 errors, I want to send Email to all stakeholders, with URL, its query strings and cookies through another PHP script hosted on the same server.
However adding ErrorDocument 500 /report/webmaster/dp-server-error.php inside virtual host results in redirect loop to error script i.e. dp-server-error.php. As work around, I have done something like this in virtual host file and it works.
ProxyPassMatch ^/(.*\.(php|html)(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/example.com/
ProxyErrorOverride On
ErrorDocument 500 https://www.example.com/report/webmaster/dp-server-error.php?page=%{REQUEST_URI}?%{QUERY_STRING}&cookies=%{HTTP:Cookie}
However, the work around has some issues. The cookies might exceed number of valid characters in URL. The URL might be noticed by one of the crawlers and crawling this URL might send false Email alerts. I want ErrorDocument to work normally without using the full domain name. I want to know how can I avoid the redirect loop. Also using
ProxyPass /report/webmaster/dp-server-error.php !
to avoid redirection loop is not acceptable as I would not able to use the existing PHP framework to perform detailed analysis of error before sending Email for further analysis.
I have a simple custom MVC app using $_GET to parse a url, and i've got it working on my dev server as well as a few different webhosts using php 7.1... but I'm trying to use x10hosting's free lamp hosting and the data being passed from $_GET is coming through as 403...
I've proved that it works on other servers as well as my own dev server with this
echo '<pre>', $route->path, $_GET['url'], '</pre>';
when going to the url http://app/admin... this line in my loop gives me what should be expected...
/admin
adminadmin
but on x10's server i get this
/403.shtml
admin403.shtml
I have tried encoding to base64 with urlencode($_GET) as well as disabling mod_sec in the .htaccess with
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
neither solution worked... I'm almost certain it's a server config issue but access is pretty much limited to .htaccess and php.ini .... I haven't touched php or apache in a while and am a little lost... any help would be greatly appreciated
This does sound like a mod_security type issue. And, as you have found, you are unable to disable mod_security on the free hosting platform.
I have encountered mod_sec rules on a number of shared hosts that simply block the request based on certain parameter names (supposedly blocking common XSS attempts). url is a common one. site is another. Simply changing the parameter name might be all that's required.
"Free" hosting accounts are always going to have some restrictions. If this is the only thing that holds you back then you are lucky.
Forbidden
You don't have permission to access /install/step3.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Why is it showing this error when I'm trying to install a script?
Your question have 2 configuration problem.
File Permission (in Filesystem)
ErrorDocument Attribute (in Apache Webserver)
First, You can solve permission error using 'chmod' and 'chown' command.
try this:
chmod -R 777 directory (777 means allow permission for all)
chown -R [user]:[group] directory (generally, the same [user] and [group])
Second, ErrorDocument handle error can occured from invaild ErrorDocument attribute setting in .htacess or httpd.conf(or apache2.conf) file.
try this:
check your .htacess file in 'install/' directory. If you can not check this file, you can try 'ls -al' command in terminal. you have to find 'ErrorDocument' attribute, and remove or correct it.
check your apache webserver configuration file (httpd.conf or apache2.conf). If you can check 'ErrorDocument' attribute, you can try remove this attribute in file. It is temporary, so you must backup it before try suggested cases.
If you can not solve by case 1 and 2, you can try disable 'AllowOverride' attribute. Try find 'AllowOverride x' attribute and replace to 'AllowOverride None'. Because, this problem can have possiblity from .htacess file in parent directories. AllowOverride attribute can control allow or deny additional configuration in .htacess file.
You must restart apache service after try this cases. you can try 'service httpd restart' or 'service apache2 restart' command.
Good luck to your web server and you.
First thing to do is check that the index.html is written in properly. Forbidden 403 usually indicates that the server is running but that the requested resource is not being found.
Then clear your cache. Additionally check your php.ini file to configure any necessary items to get your website running.
The Web server (running the Web site) thinks that the HTTP data stream sent by the client (e.g. your Web browser or our CheckUpDown
robot) was correct, but access to the resource identified by the URL
is forbidden for some reason.
This indicates a fundamental access problem, which may be difficult to
resolve because the HTTP protocol allows the Web server to give this
response without providing any reason at all. So the 403 error is
equivalent to a blanket 'NO' by the Web server - with no further
discussion allowed.
By far the most common reason for this error is that directory
browsing is forbidden for the Web site. Most Web sites want you to
navigate using the URLs in the Web pages for that site. They do not
often allow you to browse the file directory structure of the site.
For example try the following URL (then hit the 'Back' button in your
browser to return to this page):
http://www.checkupdown.com/accounts/grpb/B1394343/
This URL should fail with a 403 error saying "Forbidden: You don't
have permission to access /accounts/grpb/B1394343/ on this server".
This is because our CheckUpDown Web site deliberately does not want
you to browse directories - you have to navigate from one specific Web
page to another using the hyperlinks in those Web pages. This is true
for most Web sites on the Internet - their Web server has "Allow
directory browsing" set OFF.
I have faced this problem. On local host it was running as I want, but when deployed (using Filezilla in my case) on the remote server, the problem occurred. with error 403 instead of 404. I think as mentioned before, It is a restricted access from the server. I only reuploaded the whole folder and every thing is perfect now.
Thanks to this community.
.htaccess
ErrorDocument 404 /index.php
ErrorDocument 403 /index.php
ErrorDocument 403.14 /index.php
ErrorDocument 500 /index.php
I was looking for this over google and found just one thing repeated on every single website.
Edit your .htaccess and add this line:
ErrorDocument 404 /yourpage.php
So for example my page is error.php so it is obvious that it should be:
ErrorDocument 404 /error.php
However even if I type full domain name it doesnt works. It gives me Internal Server Error only and I have no ideas how to make it.
Any tips? Thanks.
EDIT No.1:
I am not quite sure where do I check for these "Apache" logs.
Btw here is full ISE Message:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, *webmaster#mydomainname.com* and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Also I have tried making error.html and doesnt works. And also I Do not use any other rewrites in htaccess.
Then your webserver does not support this option...
Look into your http.conf and search for
AllowOverride <value>
If it is not equal FileInfo or all configuring error documents is not allowed.
Change it to All to make it work (and restart Apache afterwards)
If you do not have access to the http.conf, ask your Provider to allow custom error documents.
Since it's a friday, I can't ask my host about this, but apparently, all the .php pages on my websites are giving out the "Internal Server Error"... this started just now, I was not on my admin cp, I did 0 changes to my website today, in fact, I changed nothing for about a week now.
I host a few forums and got alerted by some users just now who were browsing and suddenly this happens.
The website in question:
cudamine.com
The error:
Internal Server Error
The server encountered an internal
error or misconfiguration and was
unable to complete your request.
Please contact the server
administrator, xxx#email.com and
inform them of the time the error
occurred, and anything you might have
done that may have caused the error.
More information about this error may
be available in the server error log.
Additionally, a 404 Not Found error
was encountered while trying to use an
ErrorDocument to handle the request.
I use cPanel X.
Should I be worried about this? Some sort of attack or something? All HTML pages work fine, it's just .php that seems to have this issue, is this a problem on my hosts end, or can I do anything about this before monday? Thanks guys, and sorry if this is the wrong place to ask. It's just that I don't want to have no site for the whole weekend...
After reading up on the web about similar situations, I found some info on the .htaccess file, I found the file and this is what's in it:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^cudamine.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.cudamine.com$
RewriteRule ^santa\-maria\/forum\/?(.*)$ "http\:\/\/cudamine\.com\/santa\-maria\/\?page_id\=7\/$1" [R=301,L]
Those two RewriteCond are 2 of my links that use php... I tried deleting this file, nothing changed though.
Definitely check the error log (should be available in CPanel).
One common occurrence I see is when a host enables SuPHP (suexec for PHP scripts) and you have group writable scripts or directories containing scripts.
If your error log shows anything like "Apache SoftException", then this is the most likely cause. You need to change the filesystem permissions on your scripts and directories to remove the group "write" bit.
Another possible cause is your host has disabled mod_rewrite or removed the appropriate overrides (FileInfo) to use the Rewrite* directives.
PHP may be writing its error log elsewhere than the standard Apache error_log. You can retrieve the log's location with ini_get('error_log'). If the value's something other than "syslog", PHP is writing its errors to a file of the same name.