Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
From: Joshua Kogut <jmkogut@xxxxxxxxx>
Date: Sat, 15 Oct 2005 17:45:53 -0400
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxx
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxxxx
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <001601c5cf5a$19059650$6501a8c0@inspiron8200>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
References: <001601c5cf5a$19059650$6501a8c0@inspiron8200>
Reply-to: users@xxxxxxxxxxxxxxxx

You said that _javascript_ send a variable to apache. Huh? Isn't _javascript_ (mostly) client-side? Also, you could also use different characters and then compensate for that with mod_rewrite, I think. As far as disabling mod_security, if you use apache as a local testing server you shouldn't need to worry about security, but if its a production server, I would

On 10/12/05, Marc Rabil <marc@xxxxxxxxxxxx > wrote:

Folks,

We have a web application that uses _javascript_ to add a parameter and a value to a URL before sending it to Apache server version 1.3.31. In some cases, the value contains the less than (<) or greater than (>) characters so we use the _javascript_ escape function to convert the characters before sending. So for a value such as '<<<', the URL looks like this: http://localhost/ourapp/index.htm?value=%3C%3C%3C.

This causes Apache to return a 403 Access Forbidden error and says: 'Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags'.

Is there a way to disable this security check or otherwise configure the server to permit this type of URL?

Thanks in advance for any help,

Marc

--
|| jmkogut ||
email: jmkogut@xxxxxxxxx
|| Networking: Where all your problems are category 5. ||

References:
- [users@httpd] Problem with Less Than/Greater Than Characters in URL
  - From: Marc Rabil

Prev by Date: Re: [users@httpd] Apache not working?
Next by Date: Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
Previous by thread: Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
Next by thread: [users@httpd] mod_log_forensic compile error
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]