URL in the parameter causing 403 and other problems

Forum Moderators: coopster

Message Too Old, No Replies

URL in the parameter causing 403 and other problems

ayushchd

10:48 am on Jul 3, 2010 (gmt 0)

Hi,

I have PHP page that is the thank you for an aweber form. aWeber redirects to that page by passing certain parameters in the URL. I realised that I was getting a 403 even though the page existed on the server. Then I found out if I remove the "ad_url=http://www.whatever.com/" from the long list of parameters, the page loads find.

Also, I had a mod_rewrite set up to redirect anything like example.com to www.example.com

But whenever that thank you page is called (with the ad_url parameter) it redirects me to 403.shtml

But when I remove the parameter it redirects me to www.whateversite.com/whateverarguments

Please suggest something.

Readie

12:26 pm on Jul 3, 2010 (gmt 0)

When putting info in the URL, it's best to run it through urlencode(), then use urldecode() when retrieving it. The lack of this may be the cause of your problem.

[uk2.php.net...]
[uk2.php.net...]

ayushchd

12:29 pm on Jul 3, 2010 (gmt 0)

The parameter is being passed by aWeber. I can't control what's being passed.

penders

2:58 pm on Jul 3, 2010 (gmt 0)

What if you just manually try changing the "ad_url" param to say "test=" with the same value?

Do you have mod_security installed on your server? I've found this to block certain URL params (security reasons!?), resulting in the server returning some arbitrary error.

Failing that I would guess something was wrong your mod_rewrite rule, although if you are only redirecting from none-www to www, then that kinda seems unlikely.

rocknbil

4:31 pm on Jul 3, 2010 (gmt 0)

Let's see an example of the query string sent to your server, changing your domain name to example.com, and change http to https. This first for the TOS on this board, the second because this board munges up the code for a url, converting it to a link, and it's hard to see what's going on. It doesn't do this with https. Like

[example.com...]

ayushchd

4:39 pm on Jul 3, 2010 (gmt 0)

[example.com...]

This gives me a 403. But, when I change it to :

[example.com...]

It works fine.

ayushchd

6:03 pm on Jul 3, 2010 (gmt 0)

Its a 404. My mistake. Here is the error :
Forbidden

You don't have permission to access /index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

eelixduppy

3:33 am on Jul 4, 2010 (gmt 0)

Is it rewriting the URLs in a specific way? From what I've gathered it is having odd behavior that doesn't seem consistent.

ayushchd

2:56 pm on Jul 4, 2010 (gmt 0)

Right now there is no rewriting.

penders

9:38 pm on Jul 4, 2010 (gmt 0)

Its a 404. My mistake. Here is the error :
Forbidden

Although a "Forbidden" is really a 403. I think the 404 you are seeing is because a 403 error document cannot be found?!

Have you tried my suggestion above regarding mod_security? Reason I suggested this is that I previously had a problem on a shared server where I used "url=http://..." as a parameter. For some reason mod_security did not like "url" and in my case returned a '406 Not Acceptable' error. It took a long while, however, to realise this was the problem! I simply changed the param to "site=" and all was good.

However, you appear to have little control over the software, so this might be a problem if this is indeed the problem?! May be mod_security can be tweaked in this case if that's the issue?

ayushchd

1:28 pm on Jul 7, 2010 (gmt 0)

Any idea, what kind of tweaking would be required in the mod_security?

penders

2:23 pm on Jul 7, 2010 (gmt 0)

Have you clarified that mod_security (or mod_security2 ?) is in fact one of the loaded modules on your server? Sorry, I do not know what can be 'tweaked' with mod_security. However, if you are on a shared server there may not be much you can do about it?!

ayushchd

3:35 pm on Jul 7, 2010 (gmt 0)

There is mod_security loaded.

Can I make changes in .htaccess

Something with SecRule, SecFilter, etc