Announcement

Collapse
No announcement yet.

Before ok but today Erro 403 with friendly url

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by fatdogmandoza View Post
    Does anyone know why "forumdisplay.php?4" would work and "forumdisplay.php?4-Classifieds" comes up with 403 error?
    This is true.

    showthread.php/98092-Bla-bla-bla works fine.
    showthread.php?98092 worsk fine.
    showthread.php?98092-Bla-bla-bla don't works.

    The combination of ? and - don't works.

    We have tried to redirect the basic friendly URLs to advanced in .htaccess without success so far (Error 403).

    Comment


    • #17
      Almost certainly the source of the issue:
      http://www.php.net/archive/2012.php#id2012-05-03-1

      In Spanish:
      http://rm-rf.es/vulnerabilidad-criti...asadas-en-cgi/

      Comment


      • #18
        http://www.php.net/archive/2012.php#id2012-05-06-1

        PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "[email protected]" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.
        One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:

        RewriteCond %{QUERY_STRING} ^[^=]*$
        RewriteCond %{QUERY_STRING} %2d|\- [NC]
        RewriteRule .? - [F,L]

        Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.

        Comment


        • #19
          PHP has released further updates for that issue. If you're host is still using CGI, then you should petition them to upgrade to FastCGI.

          http://www.php.net/archive/2012.php#id2012-05-08-1
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API - Full / Mobile
          Vote for your favorite feature requests and the bugs you want to see fixed.

          Comment


          • #20
            You need to get a hold of 1&1 again - talk to their dedicated support line. I wouldn't trust it to just email. My issue is now fixed - this is the last communication I had with them.


            Thank you for contacting us. We have fixed the issue with your server as one of our updates to insure the security of your server from php hacking attempts. The change was made in /kunden/etc/apache-perf/access.conf. If you have any further questions please do not hesitate to contact us. -- Sincerely, James Preston Dedicated Server Support 1&1 Internet Inc.
            They definitely made a change, and it didn't work correctly.

            Comment


            • #21
              Originally posted by Wayne Luke View Post
              PHP has released further updates for that issue. If you're host is still using CGI, then you should petition them to upgrade to FastCGI
              Adding AddType x-mapp-php6 .php to .htaccess we have PHP 5.4.3 (cgi-fcgi).

              But the issue remains, the 1&1 managed server is misconfigured.

              Comment


              • #22
                Originally posted by Craig Reade View Post
                My issue is now fixed
                You have luck, congratulations

                Comment


                • #23
                  A little luck, yeah. Some practice though - I've used them for so many years, I've learned that their regular tech support line and support via email is pretty well useless :LOL:

                  Comment


                  • #24
                    To solve my problem I just need to add a rule un my .htaccess to force to transform http://xxxxx.com/showthread.php? into http://xxxxx.com/showthread.php/

                    żIs it posible? It will help me a lot but I dont really now how to do it, may be with mod rewrite, but I dont know how to build a rule to do that.

                    Something like:
                    RewriteRule ^showthread.php? ^showthread.php/

                    If some one who knows how to do this rule propertly can tell me how to do the rule, it will be very apreciate
                    Last edited by luichi; Thu 10th May '12, 6:14pm.

                    Comment


                    • #25
                      Issue fixed in my sites by the 1&1 staff. Thanks!

                      Comment


                      • #26
                        Originally posted by soloarquitectura View Post
                        Issue fixed in my sites by the 1&1 staff. Thanks!
                        What did you tell them to make them know how to fix succeful the problem?

                        Thanks
                        Last edited by luichi; Fri 11th May '12, 3:42am.

                        Comment


                        • #27
                          Originally posted by luichi View Post
                          What did you tell them to make them know how to fix succeful the problem?
                          This thread!

                          Comment


                          • #28
                            Nice, it works propertly again. Thanks to all for the help

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X