403 Error on Apache server for Directories that don't exist

2
votes

I am working on solving an issue within my Apache servers that will return a 403 Forbidden page when I attempt to go to a URL with sub-directories and the sub-directories do not exist.

"domain.com/etc/" Will return a 403 Forbidden error instead of a 404.

"domain.com/cd/" Will return a 403 instead of 404

"domain.com/xss/" Will return a 403 instead of a 404.

I've tried other URL/sub-directories like domain.com/bin/ returns 404. I've added this line to the HTACCESS file.

ErrorDocument 403 /error404.php

Which will make all 403 returns display a 404 page. However, this isn't good if the page is actually suppose to return a 403.

Anyone know how I can determine why these three sub-directories are returning with a 403 and not a 404. NOTE: I believe that these 3 are the only three I've been able to get to return a 403 Forbidden page on.

Is this an issue with the HTACCESS file, httpd.conf, Vhost.conf, or a php file? These directories DO NOT exist on the server. Any help would be much appreciated.

1
phpapache.htaccesshttp-status-code-403vhosts
Look into your Apache error.log - anubhava
Do you have .htaccess file in xss OR etc directory? - anubhava
Thanks for the comment. probably should have added that to my original context. I've checked the /var/log/httpd/error_log and there is nothing written there since Oct. 27 2013. This has been an issue for some time now. - user2933689
Restart the Apache to get error file working. - anubhava
No there is no /cd or /xss directories. And my etc directory doesn't have an .htaccess file. - user2933689

1 Answers

0
votes

I've figured this out.

Mod_security rules crs_40_general_attacks and crs_41_xss_attacks are the cause. I've located the SEC_rules that are being called, commented those rules out and now I do not get the 403 error. The /cd is redirected to the landing page and the other two return 404 errors. :) Yeah for me :) Thanks to everyone that tried to help I truly appreciate it.