403 Forbidden when passing URL in GET variable

4
votes

I am having a problem like this:
403 Forbidden on PHP page called with url encoded in a $_GET parameter

I am getting "403 forbidden" error When i pass a url as a GET variable like this

http://script/test.php?url=https://stackguides.com/questions/ask

But this is ok.

http://script/test.php?url=stackoverflow.com/questions/ask

And even if i urlencode the url it still gives me a 403.

Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at ----- Port 80

And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off in htaccess I get "500 Internal Server Error".

Code snippet:

$URL = mysql_real_escape_string($_GET['url']);
mysql_query("INSERT INTO `url` ...");

So the question is, can I fix this without editing httpd.conf, because I don't have root privilege. Thanks

2
phpapache.htaccess
Show some code from the test.php file - Sujit Agarwal
I added it sir, but i doubt it's relevant, i tried it with another file it did the same. - 0xAli

2 Answers

6
votes

Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.

Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.

I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)

If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)

3
votes

For me the solution to this issue was by getting my host (hostgator) to create an exception for mod_security on my site. mod_security's used for blacklisting certain types of operations, and it seems $_GET requests containing urls (http://www.etc) was one, for whatever reason. As stated by lunixbochs most hosts will be happy to sort it out for you.