Someone is trying a POST attack and getting 403 (forbidden) responses.  What is this all about?

Posted on 2006-04-18
Last Modified: 2010-03-04
I have a Mambo website where we've set up an online ticket buying system throught PayPal.

Over the weekend I noticed various attempts from computers around the world (everywhere from Japan to Yugoslavia) attempting to spontaneously post information to our web pages and being denied with  a 403 (forbidden) response froom Apache.  Here's an example of the log entries: - - [15/Apr/2006:07:25:24 -0400] "POST /tickets/step2.php HTTP/1.1" 403 445 "" "-" - - [15/Apr/2006:07:25:25 -0400] "POST /en/index.php HTTP/1.1" 403 445 "" "-"

I'm a little worried about these attacks and have a few questions if you're familiar with this type of attack:

-  Why is Apache causing a 403 (forbidden) on that page?  Obviously it doesn't like something in the POST parameters but my log doesn't show me what was posted.  There's nothing in my PHP code that's causes a 403.  What is going on in Apache?

-  If a 403 is triggered by Apache, am I safe?  Or is there an exploit that actually USES a 403 message to its advantage?

-  What the heck are these people trying to do anyway?  What's the vulnerability they're looking for?

Any light on this would be appreciated.
Question by:scooter126ca
    LVL 15

    Assisted Solution


    1) It could be number of reasons, starting from the POST request size to Allow/Deny settings in Apache config.

    2) Not necessarily, you need to find what triggered a 403. You can't really use a 403 to your advantage except in finding out what kind of application is there.

    3) If these are actual files on your server I would say they may be looking for a buffer overflow if they post a very long content. If these file belong to some widely available PHP application you might want to look for specific security issues in this application that were published/patched recently.
    LVL 10

    Accepted Solution

    There are a number of POST vulnerabilities that have been fixed, but people may still be looking for servers with outdated software.

    The most likely one:


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting ( to http…
    Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now