403 Forbidden when passing URL in GET variable

Question

I am having a problem like this:
403 Forbidden on PHP page called with url encoded in a $_GET parameter

I am getting "403 forbidden" error When i pass a url as a GET variable like this

http://script/test.php?url=https://stackoverflow.com/questions/ask

But this is ok.

http://script/test.php?url=stackoverflow.com/questions/ask

And even if i urlencode the url it still gives me a 403.

Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at ----- Port 80

And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off in htaccess I get "500 Internal Server Error".

Code snippet:

$URL = mysql_real_escape_string($_GET['url']);
mysql_query("INSERT INTO `url` ...");

So the question is, can I fix this without editing httpd.conf, because I don't have root privilege. Thanks

Answer 1

Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.

Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.

I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)

If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)