Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Error 403 and Hex Encoding



12:23 pm on Nov 24, 2010 (gmt 0)

5+ Year Member

Hi there,

I work with someone who has had their Apache 2 web server tested for PCI compliance, and one of the issues they had flagged up was, "Because the scanner was able to find a specific forbidden directory, it should remain forbidden even if some hex encoding is being input."

The example I have is, theirwebsite.com/any-folder/ gives a 403 directory forbidden error, whilst theirwebsite.com/any-folder/%3fD=A gives a 404 file not found error.

They say that even when adding the hex encoding, it should still be giving a 403 error, rather than the 404 error.

I'm not even sure I understand what the issue is here, but assuming this is an issue and those who know more than me understand it, do you have any ideas for how to remedy this behaviour?




1:23 am on Nov 28, 2010 (gmt 0)

10+ Year Member

A 403 error means "access denied" usually because the user does not have privileges. Simply adding some garbage to the end of the path is generally not something that would change this condition. But your server seems to be saying /any-folder/ is off limits (perhaps unless the user is authenticated), but something more revealing (file not found) if they just add some garbage to the end.

We used McAffee ScanGuard for a while, and at first I thought their error reporting was a little overzealous, but this probably shouldn't happen -- if there's a directory that's off limits, it's probably good practice to ensure that it also gets a 403 forbidden error as well. This isn't so much of an error as it is a way that spammers/hackers can use to see how the server responds to various requests and look for exploits. If /any-folder/ is off limits, then /any-folder/{some garbage} most likely should be, as well.



2:38 am on Nov 28, 2010 (gmt 0)

5+ Year Member

Any ideas on how to make both /any-folder/ and /any-folder/hex-encoded-stuff both give the 403 forbidden messages at all?




11:09 pm on Dec 1, 2010 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Easy fix: Deny requests for all percent-encoded HTTP Methods, URL-paths, query-strings, fragments, and protocols:

RewriteCond %{THE_REQUEST} ^[^%]*\%
RewriteRule ^ - [F]

This in addition to the usual "Options -Indexes" should take care of it.


Featured Threads

Hot Threads This Week

Hot Threads This Month