403 Forbidden WHY? Strange....

Rok-Kralj
Rok-Kralj used Ask the Experts™
on
http://www.ad-astra.si/index.php?w=knjiga

This is the web page i'm currently working on.

Try to submit any HTML to guestbook, for example "<p><h2>", and you get the following error:

----------------------------------
"Forbidden

You don't have permission to access /index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at www.ad-astra.si Port 80 "
--------------------------------

The problem is, that this eror occurs only when using Firefox and only when submiting HTML. Other browsers (Opera, IE) and plain text works fine.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
What is the php code to handle the post ?

Author

Commented:
Here is it...

Nothing that would cause firefox to behave so differently.

if (isset($_POST['submit'])) {
	if ($sql->q('SELECT * FROM guest_book WHERE ip=$ AND date+3600>$', 0, ip2long($_SERVER['REMOTE_ADDR']), time())!==false) {
		echo 'Dovoljen je samo en zapis na uro!';
	} else {
		echo 'Uspeano ste dodali zapis v knjigo gostov. Zaradi mo~nih zlorab mora vaa prispevek odobriti moderator.';
		$sql->q("INSERT INTO guest_book (name, text, date, ip) VALUES ('$', '$', $, $)", 0,  $_POST['name'], strip_tags($_POST['vsebina']), time(), ip2long($_SERVER['REMOTE_ADDR']));
	}
}
 
<form method="post"><div>
	Ime: <input type="text" name="name" value="" /><br />
	<textarea name="vsebina"></textarea><br />
 
	<input type="submit" name="submit" value="Poalji mnenje!" />
</div></form>

Open in new window

Commented:
I have the same issue with IE and chrome.

What happens on sql error ? Maybe a wrong redirect in this case.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Commented:
maybe text field cannot be empty in the database ... <p>blabla</p> works in firefox

Author

Commented:
<h2>fsdfsdf<h2><p>fsdfsdf</p> doesn't.



Author:  Rok-Kralj, Limited Member
Guru on this subject.

I'm not a idiot, database has nothing to do with return codes.

Anyone else?

Commented:
Maybe database class you are using raise something like that when query fail :

header('Location: some_403_wrong_path');

Sorry if i offuscated you ... just trying to help.

Commented:
Do you have selinux installed ?

Author

Commented:
Database class was written by me... Garanteed not containing anyting like that...

And even if it would, why would it fail only in Firefox?
Commented:
if you are getting a 503 forbidden error then you should see more detail on the actual error in the apache error log file.

have a look at it while making your call in firefox that causes the error

The log is located at

etc/httpd/logs/error_log

on our cPanel / Linux servers

I was guessing that you had mod_security configured however I have not managed to trigger it when attempting some other known error URLs.

Anyway - the apache error_log should have the info you need.

Commented:
Rok> no SELinux installed ?

I get the http 403 on IE, firefox, chrome, opera, safari ...

Seems not to be a browser issue.

Commented:
Yes, it is not a browser issue. I guess it is a code in the wrapper class to prevent sql injection. We can make sure of that by commenting $sql->q() two lines.

Commented:
Unwanted 403 errors is classic with security layers like SELinux on apache. Let's Rok tell us what security software is installed and we should find it out.

Author

Commented:
@profya:
I wrote sql class myself, so I know what I have written. However, I've done that anyway, and still no success.

I have found out what's wrong myself. My host has a special mod_security rule that first checks whether the request is POST. In that case, it counts all HTML tags, and if >=2, then it raises 403 Forbidden.

Commented:
Yes, If you told me the class has no code do such a behavior, then I would suggest the problem may be with an .httaccess. No problem man, you discovered it your self. We lost value points.

Commented:
That's what i was saying ...

Author

Commented:
I would like a refund of the points, because I found the answer myself.

Commented:
"Unwanted 403 errors is classic with security layers like SELinux on apache. Let's Rok tell us what security software is installed and we should find it out."

12 hours later =>

"I have found out what's wrong myself. My host has a special mod_security rule that first checks whether the request is POST."

Author

Commented:
The host uses debian, not SELinuix, LOL.

Commented:
I do support flob9's claim, he highlighted the security effect and requested the asker more information about security aspects. This highlight may be led the asker to discover the details.

Commented:
"tell us what security software is installed ..."

Don't want your points, but you could at least admit we show you the good way to search ...

Commented:
#24889188  has all the information required to track down the problem. I was suggesting mod_security and to check error logs.

8 hours later:

"I have found out what's wrong myself. My host has a special mod_security rule that first checks whether the request is POST. In that case, it counts all HTML tags, and if >=2, then it raises 403 Forbidden."

as flob9 said... I don't care for your points. however you could have the decency to recognise the people that helped and the pertinent information contained in the posts prior to you finding the solution "all by yourself"

Author

Commented:
The problem with your answer was that I don't have access to the apache logs....
So I couldn't get to know what exactly is disturbing mod_security so much.

Commented:
right... you can't access the apache logs - so you asked your hosting support people to check your error logs as you were having problems with the form and they checked and told you it was the mod_security rule triggering with double html tags in POSTed data?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial