All CMS Builder Links suddenly return Error 403 - Forbidden

14 posts by 6 authors in: Forums > CMS Builder
Last Post: June 1, 2012   (RSS)

By Dave - May 14, 2012

Hi Steve,

Thanks for the recommendation! :)

If you still have a copy of that hacked .htaccess and the line wasn't already one that was picked up by the scanner could you email me a copy of it to dave@interactivetools.com?

We're adding more and more patterns and should have an improved release out within a week or two.

Thanks!
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] All CMS Builder Links suddenly return Error 403 - Forbidden

By rconring - May 15, 2012

Good Grief!!! That explains a problem I have been fighting along with a site exploit for the past few days. My problem was similar, but somewhat different in that it only affected links where the ? was followed with a hyphen ... eg: "?-". The remaining hyphens in the query caused no problem as long as it was not the first character in the query. I had to modify a ton of code to rectify this. Good to know it wasn't something I did. LOL
Ron Conring
Conring Automation Services
----------------------------------------
Software for Business and Industry Since 1987

Re: [Dave] All CMS Builder Links suddenly return Error 403 - Forbidden

By Dave - June 1, 2012

For anyone else who has this issue, here's a quick overview.

There was a security flaw found in the way some web hosting servers implemented PHP in May 2012 which allow malicious users to pass commands to PHP. You can check if your host is affected by adding ?-s to the end of any PHP page, eg: index.php?-s If you see your source code, you are vulnerable. If your site renders normally, you are not.

If you get a 403 Forbidden error, though, it means your host has implemented a temporary workaround that prevents the attack, but also blocks some valid safe URLs like CMSB uses. This is referenced on PHP.net here (http://www.php.net/archive/2012.php#id2012-05-06-1) where they provide the workaround say the following: "Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly."

Of course, unless you control your web hosting server you can't modify the workaround patch they're using, and we've run into a few hosts who are unwilling or unable to actually patch PHP and have servers that won't accept these otherwise valid URLs.

So for those cases, I've attached a small plugin that adds ?p= to the beginning of the automatically generated urls, so instead of: http://www.example.com/news-item.php?Headline-goes-here-123
You get: http://www.example.com/news-item.php?p=Headline-goes-here-123

It's always better to have your host actually fix the underlying issues, but if that's not possible then this plugin is a workaround for their workaround. :)

Hope that helps!
Dave Edis - Senior Developer
interactivetools.com