tags:

views:

22

answers:

1

Hi All , I have a simple form that is submitting to a post.php file . This form has input fields . If the text written in any of these input field is : System something , then I get a 403 forbidden error .

However , if I write the same System in quotes i.e "System" then it works fine .

It seems like that System is being treated as a command here and what I write after that is being treated as the parameter .

The code is not even reaching post.php . Even if I delete the post.php file , I still get a 403 error instead of a file not found error . Maybe it is something to do with Apache .

Please advise . Below is the form :

<form action="post.php" method="post" name="form1">
                          <table cellspacing="0" cellpadding="4" border="0">
                <tbody><tr valign="top">
                  <td>Title</td>
                  <td><input type="text" value="" size="40" id="title" name="title"></td>
                </tr>
                <tr valign="top">
                  <td>Company</td>
                  <td><input type="text" value="" size="40" id="company" name="company"></td>
                </tr>
                <tr valign="top">
                  <td>Responsibilities</td>
                  <td><textarea id="responsibilities" rows="7" cols="55" name="responsibilities"></textarea></td>
                </tr>
                <tr valign="top">
                  <td>Position Requirements</td>
                  <td><textarea id="requirements" rows="7" cols="55" name="requirements"></textarea></td>
                </tr>
                <tr valign="top">
                  <td>Contact</td>
                  <td><textarea id="contact" rows="7" cols="55" name="contact"></textarea></td>
                </tr>
                <tr valign="top">
                  <td>Contact Name </td>
                  <td><input type="text" value="" size="40" id="contact_name" name="contact_name"></td>
                </tr>
                <tr valign="top">
                  <td>Contact Title </td>
                  <td><input type="text" value="" size="40" id="contact_title" name="contact_title"></td>
                </tr>
                <tr valign="top">
                  <td>Address 1</td>
                  <td><input type="text" value="" size="40" id="address1" name="address1"></td>
                </tr>
                <tr valign="top">
                  <td>Address 2</td>
                  <td><input type="text" value="" size="40" id="address2" name="address2"></td>
                </tr>
                <tr valign="top">
                  <td>Contact Phone </td>
                  <td><input type="text" value="" size="40" id="contact_phone" name="contact_phone"></td>
                </tr>
                <tr valign="top">
                  <td>Contact Fax</td>
                  <td><input type="text" value="" size="40" id="contact_fax" name="contact_fax"></td>
                </tr>
                <tr valign="top">
                  <td>Contact Email </td>
                  <td><input type="text" value="" size="40" id="contact_email" name="contact_email"></td>
                </tr>
                <tr valign="top">
                  <td>Contact Website </td>
                  <td><input type="text" value="" size="40" id="contact_website" name="contact_website"></td>
                </tr>
                <tr valign="top">
                  <td>&nbsp;</td>
                  <td>&nbsp;</td>
                </tr>
                <tr valign="top">
                  <td colspan="2"><input type="submit" value="Add Job" name="Submit"></td>
                  </tr>
              </tbody></table>
</form>

Here are the HTTP headers sent :

(Request-Line)  POST /admin/jobbank/post.php HTTP/1.1

User-Agent  Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language en-us,en;q=0.5

Accept-Encoding gzip,deflate

Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive  300

Connection  keep-alive

Referer jobbank/add.php

Cookie  PHPSESSID=bc679ded5a7f7650692084042c137d77

Content-Type    application/x-www-form-urlencoded

Content-Length  188

The HTTP response received :

(Status-Line)   HTTP/1.1 403 Forbidden

Date    Tue, 31 Aug 2010 09:52:16 GMT

Server  Apache/1.3.41 Ben-SSL/1.60 (Unix) mod_gzip/1.3.26.1a mod_fastcgi/2.4.2 mod_throttle/3.1.2 Chili!Soft-ASP/3.6.2 FrontPage/5.0.2.2635 mod_perl/1.30 PHP/4.4.9

Keep-Alive  timeout=15

Connection  Keep-Alive

Transfer-Encoding   chunked

Content-Type    text/html; charset=iso-8859-1
+2  A: 

I guess you have some protection module for Apache, that checks GET and POST variables for suspicious values like http://www.modsecurity.org/

You need to tune it or turn it off.

I think they are pain-in-the ass most of the time...

FractalizeR