homepage Welcome to WebmasterWorld Guest from 54.161.246.212
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Error 403 and Hex Encoding
stemc



 
Msg#: 4234438 posted 12:23 pm on Nov 24, 2010 (gmt 0)

Hi there,

I work with someone who has had their Apache 2 web server tested for PCI compliance, and one of the issues they had flagged up was, "Because the scanner was able to find a specific forbidden directory, it should remain forbidden even if some hex encoding is being input."

The example I have is, theirwebsite.com/any-folder/ gives a 403 directory forbidden error, whilst theirwebsite.com/any-folder/%3fD=A gives a 404 file not found error.

They say that even when adding the hex encoding, it should still be giving a 403 error, rather than the 404 error.

I'm not even sure I understand what the issue is here, but assuming this is an issue and those who know more than me understand it, do you have any ideas for how to remedy this behaviour?

Thanks,

Stephen

 

sublime1

10+ Year Member



 
Msg#: 4234438 posted 1:23 am on Nov 28, 2010 (gmt 0)

A 403 error means "access denied" usually because the user does not have privileges. Simply adding some garbage to the end of the path is generally not something that would change this condition. But your server seems to be saying /any-folder/ is off limits (perhaps unless the user is authenticated), but something more revealing (file not found) if they just add some garbage to the end.

We used McAffee ScanGuard for a while, and at first I thought their error reporting was a little overzealous, but this probably shouldn't happen -- if there's a directory that's off limits, it's probably good practice to ensure that it also gets a 403 forbidden error as well. This isn't so much of an error as it is a way that spammers/hackers can use to see how the server responds to various requests and look for exploits. If /any-folder/ is off limits, then /any-folder/{some garbage} most likely should be, as well.

Tom

stemc



 
Msg#: 4234438 posted 2:38 am on Nov 28, 2010 (gmt 0)

Any ideas on how to make both /any-folder/ and /any-folder/hex-encoded-stuff both give the 403 forbidden messages at all?

Thanks,

Stephen

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4234438 posted 11:09 pm on Dec 1, 2010 (gmt 0)

Easy fix: Deny requests for all percent-encoded HTTP Methods, URL-paths, query-strings, fragments, and protocols:

RewriteCond %{THE_REQUEST} ^[^%]*\%
RewriteRule ^ - [F]

This in addition to the usual "Options -Indexes" should take care of it.

Jim

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved