Jump to content

403 surprise


ginerjm

Recommended Posts

As of this morning one of my appl menus is giving me fits.  Don't know what happened but certain menu choices don't function.  In fact I get a 403 error page when I click on their submit buttons.

Here is the form code from the Dom Explorer tab of my IE page:

<form name="form3" action="/poolmenu.php" method="POST">
<center class="medtxt yellow">Suicide Pool Tools</center>
<br>
<input name="btn" class="a_menu regtxt akitem popular_link" type="submit" value="41. Update NFL Schedule/Results" data_ak="41">
<br>
<input name="btn" class="a_menu regtxt akitem popular_link" type="submit" value="42. Post Suicide Results From NFL Results" data_ak="42">
</form>

I have shortened the menu to show only these two items - there are several more all like this.  The first submit fails with the 403 message, but the second works just fine.  Here is the code that handles these "btn" values:

//*****************************
//  #41
if ($btn == 'Update NFL Schedule/Results')
{
	unset($_POST['btn']);
	$dest = 'jg/nflgamesupdate.php';
	header("Location: $dest");
	exit();
}
//*****************************
//  #42
if ($btn == "Post Suicide Results From NFL Results")
{
	unset($_POST['btn']);
	$dest = "/jg/pools/suicide_post_results2.php";	// new version 9/11/16
	header("Location: $dest");
	exit();
}

As you can see they both come from the same form with the same action.  Normally they should be handled by their appropriate block of code.

Some of you may want to focus on my methods but that is not the issue here.  The problem is this style of coding works for me in all of my apps and until this morning this script functioned just perfectly.  I am suspecting perhaps a domain hack here but I can't see how it could be introduced into this code nor how it could be interfering with my process.  I have done a bunch of debugging to display things and all that happens is when I click on the 'working' submit button I get those displays.  But when I click on the non-working one I get NO displays and just the 403 page.  The interesting thing is that the 403 message tells me that the very page that contains all of this code is not accessible to me.  The same page loads the first time and displays my menus and when the submits are clicked the action takes me to this same page/script.  Yet - one of the clicks is handled perfectly by this same script and the other gives me the error.

I have even modified the processing code above to simply echo out that the code has reached the appropriate block and for the #42 block I get the message, but for the #41 block I never get it - I just get the 403 page.  How can this be??

Here is the error page:

Forbidden

You don't have permission to access /poolmenu.php on this server.


Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I am going bald.

Link to comment
Share on other sites

error_log is PHP's log. PHP is not the one responding with the 403 error. The 403 error is coming from Apache. The fact that Apache is responding with a 403 error, and likely the reason why, should have been written to the error log configured for Apache and/or the virtualhost serving your site.

If there isn't an error log set up, set one up, then trigger the error again and see what the log says.

Link to comment
Share on other sites

I seem to have found the cause of the 403 errors.  My appl menu page has links on it as I've shown you already.  If I alter the word "Update" in the link, the script no longer errors out with a 403.  Change it back to "Update" and it goes to the 403 once again.   So - someone somehow has added some kind of code on my host's server to cause this.  Any ideas on how to trace this down?

Link to comment
Share on other sites

I have actually tried going thru that but all I end up with is a .com file that I cannot open.  The log entry lists .gz files but when I download it I get to a file extractor program that shows it as a .com only   Is there some trick to extracting the log files?

Link to comment
Share on other sites

More digging and more questions.....

Here is an example of some simplified html

		echo "
		<input type='submit' name='btn' class='a_menu $a_sz'
			value='Update NFL Schedule/Results'>";
		echo "
		<input type='submit' name='btn' class='a_menu $a_sz'
			value='99. Update Post Suicide Results From NFL Results'>";

Normally my menu items (above) include a sequence number to enable me to use some JS code to capture a numeric entry to place focus on the item so I can just hit enter after typing in the numbers.  Never had a problem til now.  With the above alteration, my first submit button works fine despite having the word 'Update' in it.  The second submit does not work though.  If I go back into my script and remove the little old "99. ", the button then works.   That's all - just remove the digits and the dot and the space and it works.  Normally I have a little script (php) that checks the incoming POST "btn" value and strips off the leading numeric since they are only needed for my JS code to cause the focus to happen.  That same code reads all of my  btn values that have or don't have numerics so there is really no difference to my script whether we have numbers on the values or not.  But - something is happening that causes my script to not even function when it has a number followed by the word "update"???  I have added an echo in my script to show me the incoming btn value which works just fine for ALL btn values except the ones that go to a 403 - so apparently my script doesn't even get called in the problem cases and that means (to me) that somebody is intercepting my http conversation and not my code.

Remember - the 403 message tells me that this script name is forbidden from me yet the whole process starts with a call to this same script in order to get it to display my menu.  How can it not be forbidden when it does the display but is forbidden when it tries to read it's own work and pass control to another script?

Apparently there are 2 keys to this malfunction - that my btn value has a numeric and the word 'Update' in it.  If I alter my above "99" line to just have the word 'Post" and not "Update Post", it works just fine.  OR if I just drop the 99 and leave it as "Update Post", it works just fine.  Even more testing shows that if I alter it to be "99. Post Update...." it works properly.  So something somewhere is looking for a match of "##. Update" at the beginning of my submit value clauses and causing a 403.  Personally I don't even know how to capture that data nor do I know how to cause a 403.

A long-winded narrative I know but this problem is a real puzzler.

Link to comment
Share on other sites

4 hours ago, ginerjm said:

Remember - the 403 message tells me that this script name is forbidden from me

No, it tells you the request was forbidden. What I'm trying to get you to discover is whether there is something installed in Apache that is inspecting the request and deeming it unsafe. Something like mod_security.

.com files are not a thing (anymore). Open it with a text editor: what are the first few characters you see (assuming it's not all plain text)?

Link to comment
Share on other sites

Ok - rename the .com to .txt and I see a log.  I can see some lines showing me going to my index page, then to my "poolmenu.php" menu page then to a 403 page and then a return to my poolmenu.php page (using an Alt-BS).  Nothing more than that.

Link to comment
Share on other sites

Just to be sure - does the below look like an apache log:

45.47.162.19 - - [13/Feb/2019:15:56:34 -0500] "GET / HTTP/1.0" 200 35412 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:34 -0500] "GET /favicon.ico HTTP/1.0" 404 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:39 -0500] "POST /index.php HTTP/1.0" 302 - "http://jimginer.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:40 -0500] "GET /myauthpagenew.php?from=/index.php HTTP/1.0" 302 - "http://jimginer.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:40 -0500] "GET /poolmenu.php HTTP/1.0" 200 21627 "http://jimginer.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:40 -0500] "GET /favicon.ico HTTP/1.0" 404 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:40 -0500] "GET /sounds/Elevator_ding.mp3 HTTP/1.0" 304 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:43 -0500] "POST /poolmenu.php HTTP/1.0" 302 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:44 -0500] "GET /jg/nflgamesupdate.php HTTP/1.0" 200 13021 "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:45 -0500] "POST /jg/nflgamesupdate.php HTTP/1.0" 302 - "http://jimginer.net/jg/nflgamesupdate.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:46 -0500] "GET /poolmenu.php HTTP/1.0" 200 21628 "http://jimginer.net/jg/nflgamesupdate.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:46 -0500] "GET /sounds/Elevator_ding.mp3 HTTP/1.0" 304 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:49 -0500] "POST /poolmenu.php HTTP/1.0" 403 1 "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:51 -0500] "GET /poolmenu.php HTTP/1.0" 200 21628 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:56:52 -0500] "GET /sounds/Elevator_ding.mp3 HTTP/1.0" 304 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:57:00 -0500] "POST /poolmenu.php HTTP/1.0" 302 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:57:00 -0500] "GET /jg/nflgamesupdate.php HTTP/1.0" 200 13021 "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:57:03 -0500] "GET /jg/nflgamesupdate.php HTTP/1.0" 200 13021 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:57:05 -0500] "POST /jg/nflgamesupdate.php HTTP/1.0" 302 - "http://jimginer.net/jg/nflgamesupdate.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:57:05 -0500] "GET /poolmenu.php HTTP/1.0" 200 21628 "http://jimginer.net/jg/nflgamesupdate.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:57:05 -0500] "GET /sounds/Elevator_ding.mp3 HTTP/1.0" 304 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:11 -0500] "GET /poolmenu.php HTTP/1.0" 200 21628 "http://jimginer.net/jg/nflgamesupdate.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:11 -0500] "GET /jimginer.css HTTP/1.0" 304 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:12 -0500] "GET /sounds/Elevator_ding.mp3 HTTP/1.0" 304 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:14 -0500] "POST /poolmenu.php HTTP/1.0" 302 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:14 -0500] "GET /myauthpagenew.php?from=/poolmenu.php HTTP/1.0" 302 - "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:14 -0500] "GET /jg/nflgamesupdate.php HTTP/1.0" 200 13020 "http://jimginer.net/poolmenu.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
45.47.162.19 - - [13/Feb/2019:15:58:16 -0500] "POST /jg/nflgamesupdate.php HTTP/1.0" 302 - "http://jimginer.net/jg/nflgamesupdate.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

 

 

Link to comment
Share on other sites

Yeah, but that's the access log, and while it does show the 403 it doesn't give a why.

Let's try guessing from the other direction. Do the POST request in your browser, watching it as it happens. Make sure you can see the whole request - where it's going and what data it is sending - then post it here.

Link to comment
Share on other sites

Not sure what you mean.  How do I watch a POST request? 

I do know this. If I add an echo at the top of my script and upload it, when the script runs it gives me a message.  When I click on a working link I see that message again but of course my header command to go to wherever my logic says to go.  But - if I click on a "bad" link I only get the 403 page and my script never seems to execute.  Like - my click never gets to where it is supposed to be sent.  So - who is intercepting my flow and steering it away from my poolmenu.php script when I click only on certain links?

Link to comment
Share on other sites

2 hours ago, ginerjm said:

Not sure what you mean.  How do I watch a POST request? 

Using your browser's dev console tool thing. They all have some feature to watch requests, like regular pages or AJAX. They'll also show you the form data being submitted, if any.

2 hours ago, ginerjm said:

So - who is intercepting my flow and steering it away from my poolmenu.php script when I click only on certain links?

That's what we're trying to find out. Asking the same question again doesn't make any progress.

Link to comment
Share on other sites

It sounds like you're host may have installed something like mod_security and your post data is getting caught as a possible sql injection attempt.

You might be able to disable it.

Otherwise, you may just have to re-structure your data to avoid it.

I'm not really familiar with mod_security. Never used it or anything similar in my setups.

Link to comment
Share on other sites

kicken - thanks for the info.  I'll forward to my host - who has already said "our servers are secure".

Barand - I am using data attributes already.  But - don't quite see how yours works.

Requinix - sorry if I sound like I'm not listening.  This is such a crazy bug that I am getting a bit frustrated that I am not getting my dilemma across to all those who may try to help me. 

Link to comment
Share on other sites

And the Oscar goes to:  KICKEN!!!

Your suggestion was spot on.  My host did say that they had recently added mod_security and that cpanel offered an on/off switch.  So - I turned it off and everything now works.

Thanks to all who listened to my scenario and provided their input.  As always - great help!!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.