403 Error on Form Submit

[MattHawkins]

A form on my site has stopped working. It used to work but if I submit now it throws a 403 error. The form HTML is generated and then processed with a PHP script. It has worked in the past but something must have changed on the server.

I have just isolated the problem.

If I disable mod_security the form works ok (but I don't want to do this).

The form submits the contents of a text box which includes a URL. mod_security clearly no longer likes me submitting text parameters that are URLs ie anything looking like "http://www.asitehere.com/". It works if I remove the "http://" bit from the front.

I use the form to dynamically add URL links to a database table and I want them to be the full URL.

So my question is how do I submit a URL that the user has typed in without mod_security going crazy?

I do not want to exclude the http:// bit of the URL because other people use the site and they will never remember to exclude it ... and a 403 error isn't going to help them when they forget.

My only thoughts are to use javascript to store a hidden version of the url that is typed in but strip off the http bit. It could then be reattached before being written into the database.

Any help would be appreciated!

Thanks,

Matt

[Rock]

Hi Matt,

Our CTO, NickJ, is well versed with the mod_security, web application firewall. He'd be able to get this sorted for you once he's back. Meanwhile could you please open up a ticket with the appropriate details to produce the error on our end. We'd be glad to that you're sticking to the security for your website, rather than getting it removed in order to get the form working.. I like people who adhere to security Good luck..

[Daniel]

Quote:

Originally Posted by Rock

Hi Matt,

Our CTO, NickJ, is well versed with the mod_security, web application firewall. He'd be able to get this sorted for you once he's back. Meanwhile could you please open up a ticket with the appropriate details to produce the error on our end. We'd be glad to that you're sticking to the security for your website, rather than getting it removed in order to get the form working.. I like people who adhere to security Good luck..

*impresses with big firewall*

On a serious note I am also a security freak, software firewalls, hardware firewalls, AV etc. Anybody who runs without them is

[Rock]

Quote:

Originally Posted by Daniel

*impresses with big firewall*

On a serious note I am also a security freak, software firewalls, hardware firewalls, AV etc. Anybody who runs without them is

/me is much impressed to know that

[MattHawkins]

I've submitted a ticket.

Quote:

<html>
<body>
<?php

//
// Test Form to submit URL text
//
echo " <!-- Form to add new link -->\n";
echo " <form name=\"test_form\" method=\"post\" action=\"test_form.php\">\n";
echo " <fieldset>\n";
echo " <legend>Test Form</legend>";

echo " <table>\n";
echo " <tr><td>Name</td><td><input type=\"text\" name=\"ilink_name\" size=\"80\" maxlength=\"80\" value=\"Website Name\" /></td></tr>\n";
echo " <tr><td>URL</td><td><input type=\"text\" name=\"ilink_url\" size=\"80\" maxlength=\"255\" value=\"enter url\" /></td></tr>\n";
echo " </table>\n";

echo " <input type=\"submit\" name=\"isubmit\" value=\"Add New\" />\n";
echo " </fieldset>\n";
echo " </form>\n";

?>

</body>
</html>

This simple PHP script demos the issue.

The script works if you enter "www.google.com" but throws a 403 error if you enter "http://www.google.com"

It appears to actually be the "http:/" at the start that causes the problem.

I'll wait for the support ticket response. It's not a critical issue and I can rework the code if required.

Just thought I'd post this info for other users who may search for it in the future.

Matt

[swexpert]

Hi,
Just out of curiosity, have you tried entering www.someurl.com/index.php? Well as I said, just curious if your script is handling character / (must be going UTF encoded to your script) etc...

Best of luck!
Inderjeet

[a1phanumeric]

I'm also looking for a solution to this...

[a1phanumeric]

I have found a solution to the form post 403 error (when using a URL as some data to submit). Why not use this technique too? I found it at:

LINK -> edrackham.com/javascript/solution-to-form-submit-403-error

It works for me no problems what-so-ever!

[Rock]

Quote:

Originally Posted by a1phanumeric

I have found a solution to the form post 403 error (when using a URL as some data to submit). Why not use this technique too? I found it at:

LINK -> edrackham.com/javascript/solution-to-form-submit-403-error

It works for me no problems what-so-ever!

Thank you for sharing the link & glad it worked out for you