LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
Reload this Page This POST has me stumped
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 05-11-2007, 12:13 PM   #1
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
This POST has me stumped

On a form that gets submitted to a website, I have the option of selecting one or more of an arbitrary number of checkboxes.

I am having a problem where if I select ANY of these checkboxes, the server is returning a 403, while if I select NONE of the checkboxes, it works.

Here is the POST where one checkbox is selected:
Code:
POST /admin.php?query=ACTIVE HTTP/1.1

Host: blahblah.com

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://blahblah.com/admin.php?query=ACTIVE

Cookie: PHPSESSID=8259297f1b55e0d2bccb49360e581876

Content-Type: application/x-www-form-urlencoded

Content-Length: 1051



490=selection&
MBT_mailscript_PDF_Date=today&MBT_pro_mailscript_from=pro%40blahblah.com&MBT_pro_mailscript_subject=blah+blah+Professional&MBT_pro_mailscript_fileToSend=May2007-pro.php&MBT_pro_mailscript_userIDtoUse=166&HOT_pro_recipientUserID=&MBT_pro_mailscript_AffiliateID=SMRT5&MBT_pro_mailscript_SQL_Field=affinityID&submit=Add+Three+Free+Months&MBT_mailscript_dontSendEmails=true&MBT_mailscript_dontChangeDB=true&MBT_mailscript_triggerDate=today&MBT_mailscript_to=troy%40blahblah.com&MBT_mailscript_from=support%40blahblah.com&MBT_mailscript_subject=blahblah+Newsletter&MBT_mailscript_fileToSend=May2007.php&MBT_mailscript_userIDtoUse=4&MBT_pro_free_mailscript_to=troy%40blahblah.com&MBT_pro_free_mailscript_from=support%40blahblah.com&MBT_pro_free_mailscript_subject=blah+blah+Professional&MBT_pro_free_mailscript_fileToSend=May2007-pro.php&MBT_pro_free_mailscript_userIDtoUse=166&MBT_msg_mailscript_from=info%40blahblah.com&MBT_msg_mailscript_subject=blah+blah&MBT_msg_mailscript_text=

HTTP/1.1
403 Forbidden

Date: Fri, 11 May 2007 16:34:03 GMT

Server: Apache/1.3.33 (Darwin) mod_fastcgi/mod_fastcgi-SNAP-0404142202 mod_jk/1.2.4 mod_ssl/2.8.24 OpenSSL/0.9.7l PHP/4.4.2

Keep-Alive: timeout=2, max=499

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1
Note that I broke the line 490=selection& onto a separate line in order to highlight its presence for observation purposes only; in the actual post it is properly just part of the data stream, though it is the first value in the data stream.

Now here is the POST where no selection is made

Code:
POST /admin.php?query=ACTIVE HTTP/1.1

Host: blahblah.com

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://blahblah.com/admin.php?query=ACTIVE

Cookie: PHPSESSID=8259297f1b55e0d2bccb49360e581876

Content-Type: application/x-www-form-urlencoded

Content-Length: 1037



MBT_mailscript_PDF_Date=today&MBT_pro_mailscript_from=pro%40blahblah.com&MBT_pro_mailscript_subject=blah+blah+Professional&MBT_pro_mailscript_fileToSend=May2007-pro.php&MBT_pro_mailscript_userIDtoUse=166&HOT_pro_recipientUserID=&MBT_pro_mailscript_AffiliateID=SMRT5&MBT_pro_mailscript_SQL_Field=affinityID&submit=Add+Three+Free+Months&MBT_mailscript_dontSendEmails=true&MBT_mailscript_dontChangeDB=true&MBT_mailscript_triggerDate=today&MBT_mailscript_to=troy%40blahblah.com&MBT_mailscript_from=support%40blahblah.com&MBT_mailscript_subject=blahblah+Newsletter&MBT_mailscript_fileToSend=May2007.php&MBT_mailscript_userIDtoUse=4&MBT_pro_free_mailscript_to=troy%40blahblah.com&MBT_pro_free_mailscript_from=support%40blahblah.com&MBT_pro_free_mailscript_subject=blah+blah+Professional&MBT_pro_free_mailscript_fileToSend=May2007-pro.php&MBT_pro_free_mailscript_userIDtoUse=166&MBT_msg_mailscript_from=info%40blahblah.com&MBT_msg_mailscript_subject=blah+blah&MBT_msg_mailscript_text=

HTTP/1.1 200 OK

Date: Fri, 11 May 2007 16:39:35 GMT

Server: Apache/1.3.33 (Darwin) mod_fastcgi/mod_fastcgi-SNAP-0404142202 mod_jk/1.2.4 mod_ssl/2.8.24 OpenSSL/0.9.7l PHP/4.4.2
The only apparent difference between these two posts is the 403=selection& text (and of course the length of the string) but the difference seems to cause a "forbidden" error.

Here is .htaccess:
Code:
RewriteEngine On
RewriteRule ^(.*/)?\.svn/ - [F,L]
ErrorDocument 403 "Access Forbidden
RewriteRule ^(.*)\.([0-9a-zA-Z]*)\.news$ $1.php?userCode=$2
RewriteRule ^(.*)\.([0-9a-zA-Z]*)\.test$ __test.php?userCode=$2&fn=$1.php
RewriteRule ^(.*)\.([0-9a-zA-Z]*)\.aff$  index.php?page=$1&affiliateID=$2
RewriteRule ^nl_image-([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)-([0-9]+)\.HOT_image$ nl_image.php?fn=../users/$1/$3/$2/$4.jpg&width=$5&height=$6&quality=$7
RewriteRule ^([^\.]+)$ $1.php

php_value error_reporting 7
I see no reason why this .htaccess would interfere, and indeed removing .htaccess or commenting everything out seems to have no effect.

This is sending me up the wall; does anyone here have any idea why this might be happening?
 
Old 05-11-2007, 12:44 PM   #2
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Original Poster
Rep: Reputation: 116Reputation: 116
I have a "solution", though it makes me unhappy.

Basically, the value containing the string "selection" is what caused the 403 out of that server (Mac running Apache). I tried another variant - "id_selection" and still got the 403. When I changed it from the string "selection" to the string "chosen", then suddenly it worked.

This shouldn't be, I don't think; I am going to notify the hosting service.
 
Old 05-11-2007, 02:42 PM   #3
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Original Poster
Rep: Reputation: 116Reputation: 116
and the answer (per the hosting company) turns out to be that they recently turned on mod_security by default because too many customers had insecure forms which were being used for relay spam.

Turns out that the string "select" matches a pattern. That surprises me; I would think that "select " or "select%" might match, but not "select".
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VectorLinux user, must make post before I can post url The Headacher LinuxQuestions.org Member Intro 2 07-02-2011 11:55 AM
Stumped ! CastleBrie General 3 03-24-2006 12:36 PM
2 versions..stumped.. JT13 Linux - General 2 06-05-2005 04:23 PM
how to im stumped rocketgo Linux - Software 8 11-10-2003 10:10 PM
really has me stumped! brunogartner Linux - Newbie 4 06-30-2003 05:43 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 11:04 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration