Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You said that _javascript_ send a variable to apache. Huh? Isn't _javascript_ (mostly) client-side? Also, you could also use different characters and then compensate for that with mod_rewrite, I think. As far as disabling mod_security, if you use apache as a local testing server you shouldn't need to worry about security, but if its a production server, I would

On 10/12/05, Marc Rabil <marc@xxxxxxxxxxxx > wrote:

Folks,

 

We have a web application that uses _javascript_ to add a parameter and a value to a URL before sending it to Apache server version 1.3.31.  In some cases, the value contains the less than (<) or greater than (>) characters so we use the _javascript_ escape function to convert the characters before sending.  So for a value such as '<<<', the URL looks like this: http://localhost/ourapp/index.htm?value=%3C%3C%3C.

 

This causes Apache to return a 403 Access Forbidden error and says: 'Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags'.

 

Is there a way to disable this security check or otherwise configure the server to permit this type of URL?

 

Thanks in advance for any help,

 

Marc

 




--
||  jmkogut  ||
email: jmkogut@xxxxxxxxx
|| Networking: Where all your problems are category 5. ||

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux