403 Forbidden

Status
Not open for further replies.

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Mind stating the changes that were in the newer version of the script? (Basically a little change log.)
 

adler96

Member
Messages
117
Reaction score
2
Points
18
A small section was commented out, and a small new one was added (almost copy/paste from another one).
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Would this small section be HTML or PHP? What is that section supposed to do?
 

adler96

Member
Messages
117
Reaction score
2
Points
18
Just check if a php extension is available.

Commented out:

/*echo "<tr><td>JSON decode emulated support</td>";
require_once 'facebook/jsonemulation.php';
if (!function_exists('json_decode')) { echo "<td>&cross;</td><td>The Facebook integration won't be available</td>"; }
else echo "<td>&check;</td><td></td>";
echo "</tr>";*/

Added:

echo "<tr><td>mysqli extension enabled</td>";
if (!extension_loaded('mysqli')) { echo "<td>&cross;</td><td>Database operations will fail</td>"; }
else echo "<td>&check;</td><td></td>";
echo "</tr>";
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Can you create a new PHP script and only use the added part?
Also, echo whatever text you want after the last echo so that we can see if the script succeeds if it were to not 403.
I believe we're getting onto something here.
 
Last edited:

Bryon

I Fix Things
Messages
8,149
Reaction score
101
Points
48
Hi, the problem is that mod_security is failing the request due to the output of phpinfo(). Please try to stop the direct output of phpinfo() to the browser and confirm whether that resolves the problem on your end. It looks like our mod_security rules are considering part of the phpinfo output to be from a web shell of some sort.
 

adler96

Member
Messages
117
Reaction score
2
Points
18
Commenting out the phpinfo line the script runs fine.

I use this script to see if everything is fine or anything required by the site is not available. phpinfo is called there just to give me additional information in case there are any issues.

Would showing the phpinfo output be considered a security risk?
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Yes and no.
phpinfo() is only considered to be a real security risk if an attacker were to view as it would assist them in finding out what you do and don't have and versions of many things such as modules.
With all that information and an exploit of their choice, it can be easier for them to get in.
 
Status
Not open for further replies.
Top