tags:

views:

33

answers:

3
Q: 

curl gives 403 error?

Hey all,

I'm trying to set a cookie for my phpBB forums from a MediaWiki login page. Using the hook after a login to the wiki is successful, I want to run a php script that sets the cookie.

The script works when I run it independently or when I use GET , but for security reasons I want to POST to the script. For this I figured curl would be the best option.

Unfortunately, even the basic script like this:

curl_setopt($ch, CURLOPT_URL, "http://www.mydomain.com/ForumLogin.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);

Gives me a 403 Forbidden error. There's no rules in robots.txt that should interfere. What else could I try to get the script to work, or are there any other ways I could run the script from within MediaWiki?

A: 

Please check below forum.

http://bytes.com/topic/php/answers/160081-curl-gives-403-forbidden

Hope this helps.

Yogesh  2010-09-17 12:58:36
The options here I'd already tried. Doesn't solve it, unfortunately.
Litso  2010-09-17 13:28:19
+1  A: 

Or http://www.checkupdown.com/status/E403.html

Alex  2010-09-17 13:00:39
Ah, this got me a little furter: when using a relative path (in stead of the full url) to the file I don't get the error anymore. The script still doesn't work, but at least access is allowed.Any idea how I can debug this now?
Litso  2010-09-17 13:25:31
Hmm, apparently it now directs to http://ForumLogin.php, this doesn't work either..
Litso  2010-09-17 13:45:12
+1  A: 

I'd suspect the justification for this is explicitly to stop automated behaviour - an anti-bot or general security measure. You may wish to look at the source code of the destination site and check for any such measures - a quick search of the code for '403' might offer some insight. It may even be the case that POST requests are not legitimate in that context - and thus prevented for security reasons.

I'm not sure what you mean by 'for security reasons' by the way. POST isn't more secure than GET. They're both open to just as much scrutiny.

Rushyo  2010-09-17 13:06:23
The destination is a hand-scripted page of about 20 rules. I didn't send a POST yet, even the basic script in the question is denied by the receiving script. Also, because I have to send the username and password from one script to the other I figured I shouldn't do that in the query string of an url. Am I wrong?
Litso  2010-09-17 13:24:12
Have you checked the server configuration? How about other pages? Regarding the other issue: POST is no more secure. You need SSL to keep the information secret in transit.
Rushyo  2010-09-17 13:44:58
Ok, I realize when using curl GET and POST don't make a difference, but I chose for curl because I didn't want a GET in the url. Which is less safe, because it saves your username and pass as a query string in the browser history. Anyway, it's not the issue. What should I check in the server configuration?
Litso  2010-09-17 13:52:00
That depends on the server. Anything related to access privileges really... I'd also recommended testing cURL is working as intended by making a similar req. to another document (if you haven't already). You need to rule out as many variables/technologies as possible to narrow down the options (there's a million reasons you might get a 403, it's kinda like saying you got a BSOD for accessing protected memory). ...and no, it's no less safe. Trust me. Making it obscure doesn't make it any more secure. Staple rule of security.
Rushyo  2010-09-17 13:56:35
Bah, this is gonna suck :P Thanks for the advice, I'll probably accept your answer somewhere today when I give up.
Litso  2010-09-17 14:08:13
well, even if I strip everything from the two scripts and try to curl one page from the other I get the error :/
Litso  2010-09-17 14:42:45
What about if you try to cURL another server? Do you still get a 403? If not, I'd check your server configuration first and foremost for anything related to access privileges.
Rushyo  2010-09-17 14:50:12
Haven't solved it, but you helped me well. Thanks.
Litso  2010-09-18 09:50:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases