Strange 403 Forbidden error

sheardben · January 7, 2012, 10:16am

I’ve just discovered a very strange Forbidden error my server is returning when I submit a form. If any of the fields contain “http://” , the server returns a 403 Forbidden error. I really can’t understand this? Any help will be greatly appreciated!

feketegy · January 7, 2012, 10:47am

Check your folder / file permissions.

sheardben · January 7, 2012, 11:33am

The thing is there is no problem until any one of the form fields contains “http://”. “htpt://” works fine as well. When would a file/folder permission be that might involve such a thing?

My .htaccess file contains the following:


#Options -Indexes
Options +FollowSymlinks
ErrorDocument 404 /404.php

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

I had denied folder file listings, but I commented that out any I still got the same error.

dklynn · January 7, 2012, 12:27pm

ben,

Does the line “deny from all” in either of your limit directive mean anything to you? Frankly, you don’t need either of the limit blocks.

For that matter, I’d uncomment the -Indexes line and delete the +FollowSymLinks (but only because that would be in the httpd.conf or apache.conf file).

Regards,

DK

sheardben · January 7, 2012, 1:10pm

Hi

The limit part is put in by my host I’m guessing, as it has always been there. I thought it probably didn’t mean much so I just left it there. Have removed it now along with your other suggestions, but this still does not solve my problem.

I’ve done a couple of tests to try isolate the problem, and it definitely seems that the server is throwing this error if and only if any of the form fields contains the text “http://” . I’ve tried submitting the form to other pages and i get the same error. Also, this only happens when “http://” are the first characters of the form field.

What could possibly be causing this?

feketegy · January 7, 2012, 5:29pm

What do you mean by http:// form field?

Paste the HTML code of your form

dklynn · January 8, 2012, 2:39am

Presumably, the “http://” in the “form field” is in the value for the action - and that should not cause a problem (with the GET block removed).

Regards,

DK

sheardben · January 8, 2012, 9:25am

Hi

Sorry, I wasn’t very clear. The “http://” was the value of a form field, ie. if a user typed “http://www.mysite.com” in a text box and submitted the form. I found another similar error with another phrase so I took it up with my host, and apparently it’s due to a mod_security rule for added site security to prevent sql injection attacks. I’ve had that lifted now though so it has solved the problem.

Thanks for all the help though, greatly appreciated!

dklynn · January 9, 2012, 2:02am

Oh, okay, ben, but I’ve been faced with that same situation and, knowing that a value is a URL, I never add/allow the protocol to be passed as it’s illegal in a URI (http://www.ietf.org/rfc/rfc2396.txt - Uniform Resource Identifiers Generic Syntax). IMHO, strip the protocol (http(s):// or mailto://) before sending your form off to be processed.

Regards,

DK