All CMS Builder Links suddenly return Error 403 - Forbidden
14 posts by 6 authors in: Forums > CMS Builder
Last Post: June 1, 2012 (RSS)
By Dave - May 14, 2012
Hi Steve,
Thanks for the recommendation! :)
If you still have a copy of that hacked .htaccess and the line wasn't already one that was picked up by the scanner could you email me a copy of it to dave@interactivetools.com?
We're adding more and more patterns and should have an improved release out within a week or two.
Thanks!
Thanks for the recommendation! :)
If you still have a copy of that hacked .htaccess and the line wasn't already one that was picked up by the scanner could you email me a copy of it to dave@interactivetools.com?
We're adding more and more patterns and should have an improved release out within a week or two.
Thanks!
Dave Edis - Senior Developer
interactivetools.com
interactivetools.com
Re: [Dave] All CMS Builder Links suddenly return Error 403 - Forbidden
By rconring - May 15, 2012
Good Grief!!! That explains a problem I have been fighting along with a site exploit for the past few days. My problem was similar, but somewhat different in that it only affected links where the ? was followed with a hyphen ... eg: "?-". The remaining hyphens in the query caused no problem as long as it was not the first character in the query. I had to modify a ton of code to rectify this. Good to know it wasn't something I did. LOL
Ron Conring
Conring Automation Services
----------------------------------------
Software for Business and Industry Since 1987
Conring Automation Services
----------------------------------------
Software for Business and Industry Since 1987
Re: [rconring] All CMS Builder Links suddenly return Error 403 - Forbidden
By Steve99 - May 16, 2012
Yes, it definitely sheds some light on that!
In response to you identifying that PHP page links followed by "?-"... Here is one of the exploits... In affected server environments that haven't been patched, when "?-s" is entered in the URL bar following "yourpage.php" it reveals the ENTIRE PHP source code... As part of the patching, hyphens directly following the question mark are being set to be disallowed - thus breaking pages that have URL strings as such.
Hosting companies have been all over this since the info came out and attacks had hit. It's highly recommended to scan all hosting accounts that operate in the affected environment.
Hosting accounts running PHP-CGI have been vulnerable, mostly on "sandboxed" shared accounts that run PHP in this fashion - which was done for running individual instances with all intentions being to make it more secure in said environments...
There is a lot more information available if you research the CVE numbers on the php.net website.
Hope this helps.
In response to you identifying that PHP page links followed by "?-"... Here is one of the exploits... In affected server environments that haven't been patched, when "?-s" is entered in the URL bar following "yourpage.php" it reveals the ENTIRE PHP source code... As part of the patching, hyphens directly following the question mark are being set to be disallowed - thus breaking pages that have URL strings as such.
Hosting companies have been all over this since the info came out and attacks had hit. It's highly recommended to scan all hosting accounts that operate in the affected environment.
Hosting accounts running PHP-CGI have been vulnerable, mostly on "sandboxed" shared accounts that run PHP in this fashion - which was done for running individual instances with all intentions being to make it more secure in said environments...
There is a lot more information available if you research the CVE numbers on the php.net website.
Hope this helps.
Re: [Dave] All CMS Builder Links suddenly return Error 403 - Forbidden
By Dave - June 1, 2012
For anyone else who has this issue, here's a quick overview.
There was a security flaw found in the way some web hosting servers implemented PHP in May 2012 which allow malicious users to pass commands to PHP. You can check if your host is affected by adding ?-s to the end of any PHP page, eg: index.php?-s If you see your source code, you are vulnerable. If your site renders normally, you are not.
If you get a 403 Forbidden error, though, it means your host has implemented a temporary workaround that prevents the attack, but also blocks some valid safe URLs like CMSB uses. This is referenced on PHP.net here (http://www.php.net/archive/2012.php#id2012-05-06-1) where they provide the workaround say the following: "Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly."
Of course, unless you control your web hosting server you can't modify the workaround patch they're using, and we've run into a few hosts who are unwilling or unable to actually patch PHP and have servers that won't accept these otherwise valid URLs.
So for those cases, I've attached a small plugin that adds ?p= to the beginning of the automatically generated urls, so instead of: http://www.example.com/news-item.php?Headline-goes-here-123
You get: http://www.example.com/news-item.php?p=Headline-goes-here-123
It's always better to have your host actually fix the underlying issues, but if that's not possible then this plugin is a workaround for their workaround. :)
Hope that helps!
There was a security flaw found in the way some web hosting servers implemented PHP in May 2012 which allow malicious users to pass commands to PHP. You can check if your host is affected by adding ?-s to the end of any PHP page, eg: index.php?-s If you see your source code, you are vulnerable. If your site renders normally, you are not.
If you get a 403 Forbidden error, though, it means your host has implemented a temporary workaround that prevents the attack, but also blocks some valid safe URLs like CMSB uses. This is referenced on PHP.net here (http://www.php.net/archive/2012.php#id2012-05-06-1) where they provide the workaround say the following: "Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly."
Of course, unless you control your web hosting server you can't modify the workaround patch they're using, and we've run into a few hosts who are unwilling or unable to actually patch PHP and have servers that won't accept these otherwise valid URLs.
So for those cases, I've attached a small plugin that adds ?p= to the beginning of the automatically generated urls, so instead of: http://www.example.com/news-item.php?Headline-goes-here-123
You get: http://www.example.com/news-item.php?p=Headline-goes-here-123
It's always better to have your host actually fix the underlying issues, but if that's not possible then this plugin is a workaround for their workaround. :)
Hope that helps!
Dave Edis - Senior Developer
interactivetools.com
interactivetools.com