Re: 403 Forbidden on unicode urlencoded GET parameters (SecFilter issue)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry for the noise, the customer blindly copypasted a “security rule from the Internet” in his htaccess, and this was a rules to forbid foreign characters…

You will laugh with me, he wrote that, then complained about the Forbidden he got :

> # Rules to block foreign characters in URLs
> RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
> RewriteRule ^(.*)$ - [F]

This topic is solved.

2015-04-28 15:42 GMT+02:00 Thomas DEBESSE <thomas.debesse@xxxxxxxxxxxxxxxxxxxxxxxxx>:
Hi, sorry, I don't know why I got a false positive yesterday, but this is not related to SecFilter, the options change nothing and removing the whole mod_security module changes nothing, so it's not related to mod_security.

So this is my problem:

When a GET parameter use an urlencoded unicode character (like “%C3%A0”) Apache answers “403 Forbidden” without logging nothing.
I just have to call something like that: http://domain/script.php?action=""> to get a 403 Forbidden answer.

Do you know what is the cause of this problem?

Thank you in advance

--
Thomas DEBESSE



--
Thomas DEBESSE
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux