LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices



Reply
 
Search this Thread
Old 05-29-2012, 12:40 PM   #1
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,632
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
HTML POST form gets 403 with certain characters in input


I have the following html form:

PHP Code:
<html>
        <head></head>
        <body></body>
        <?php if(isset($_POST['areas']) && !empty($_POST['areas'])){
                echo 
'Got: ' $_POST['areas'] . '<br/>';
        } else { 
?>
                <form method="post" enctype="multipart/form-data" action="test.php">
                        <h3>Text</h3>
                        <textarea name="areas" rows="5" cols="80"></textarea>
                </form>
        <?php ?>
        </body>
</html>
saved as test.php.

When I give it the input "<b>Test</b>" I get "Got: Test" as expected, but when I give it "<b>Test</b><!--comment-->" I get a 403 error. If I copy and paste the URL which is giving the 403 error I get (as expected) the form shown above.

I've heard tell that this is something to do with mod_security, but I won't be able to edit that (being on shared hosting). Is there any workaround that people know of?

Thanks,
 
Old 05-30-2012, 12:13 AM   #2
bertlef
Member
 
Registered: Dec 2004
Location: Costa Rica
Distribution: Ubuntu
Posts: 69

Rep: Reputation: 17
Couple of minor corrections:
You are closing the </body> tag twice
This code is missing at least the submit button.

It seams to be that mod_security can be overridden in .htaccess
Code:
<IfModule mod_security.c>
	# Turn off mod_security filtering.  SMF is a big boy, it doesn't need its hands held.
	SecFilterEngine Off

	# The below probably isn't needed, but better safe than sorry.
	SecFilterScanPOST Off
</IfModule>
I don't have mod_security in my computer and it works fine here for which I can't really reproduce the error at the moment.
 
1 members found this post helpful.
Old 05-30-2012, 11:33 AM   #3
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,632
Blog Entries: 3

Original Poster
Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Thanks for your suggestions - you're absolutely right about your corrections, woops!

Unfortunately, changing the .htaccess does nothing - and if I remove the "IfModule" tags, it gives an internal server error, which suggests to me that mod_security isn't being used and hence isn't the cause of my problems.

As you say, it works find on my local apache server, as well as on a different website (and different hosting provider), just not this web hosting. I think I'll get in touch with them to ask them if they can help. Cthulhu help me, with their support procedures *eyeroll*
 
Old 05-30-2012, 12:02 PM   #4
bertlef
Member
 
Registered: Dec 2004
Location: Costa Rica
Distribution: Ubuntu
Posts: 69

Rep: Reputation: 17
That sure sounds like a problem in their server, it is better to just confirm with them, if not, we'll keep on trying

Good luck with them.
 
Old 05-30-2012, 12:35 PM   #5
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,632
Blog Entries: 3

Original Poster
Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
I got the following response back:

Quote:
On checking the apache error logs, I can see mod_security errors. The mod_security was blocking the HTTP POST as it thinks it is a possible injection to the site. I have disabled the mod_security settings for the domain to fix the issue.
So yeah, looks like it was mod_security (the internal server errors were presumably caused by some restriction on disabling mod_security). Everything now works as we expected. Thanks for your help, bertlef
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
php5 problem with uploads from IE using html form input type file miedward Programming 3 04-06-2010 02:24 PM
Yet another Apache index.html 403 problem jerod23 Linux - Server 9 07-13-2009 02:23 PM
.htaccess 403/404.html not working properly Nemie Linux - Server 1 10-28-2008 11:09 PM
PHP:Unable to post variables from html form to mysql database vikram_cvk Linux - Software 1 09-29-2004 04:01 PM
PHP and HTML Form Post Savahn Programming 12 06-30-2004 04:15 PM


All times are GMT -5. The time now is 05:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration