Files being 403 Forbidden'd, possibly due to its extension?

doqkx10m · Dec 8, 2015

I am hosting code that I wrote for the Melee Modding scene. 3 of the five files do not load and produce a 403 Forbidden error. What's hilarious is all three files end in .cmd, and changing them to .txt allows them to load fine.

What gives?

Files in question:
http://meleelib.refugesmash.ml/files/Melee Toolbox.cmd
http://meleelib.refugesmash.ml/files/Projekt Neko.cmd
http://meleelib.refugesmash.ml/files/Melee Library Autopatcher.cmd

caftpx10 · Dec 9, 2015

Mod_security2 is not only limited to GNU/Linux but also works on Windows.
It seems to be blocked to avoid execution if it were to be hosted on a Windows system (even though the server being used isn't).
Also, this pattern block is based on detecting '.cmd' in the path so it doesn't have to exist to throw out a 403.

bdistler · Dec 9, 2015

doqkx10m said:
What gives?

mod_security settings will throw a 404 error if it sees a "leaky" response and a 403 error if it sees a "shady" request

you'll get either a 403, a 404 or an empty response instead, depending on the apparent severity

caftpx10 · Dec 9, 2015

What you could do about this is rename the files to have a different file extension (note that .bak also causes 403) or place it in an archive.

doqkx10m · Dec 9, 2015

Ok... so I'm trying to wget those files so they would have to be directly linked anyway.

Any way to fix this in a setting or something?

bdistler · Dec 9, 2015

doqkx10m said:
Any way to fix this in a setting or something?

Mod_Security is a Web Application Firewall (WAF) that filters and blocks known malicious HTTP requests. Blocked HTTP requests include many, but not all forms of Brute Force, Cross-Site Scripting (XSS), Remote File Inclusion (RFI) , Remote Execution, and SQL injection (SQLi) attacks.

while x10hosting discourage it - Premium account users have the ability to completely disable [ mod_security ] on their account via cPanel

For free-hosting accounts - x10hosting has a customized web server setup that does not allow for the same cPanel functionality to disable all or part of [ mod_security ] - x10hosting also decided it would not be a good idea to allow free-hosting users to disable any of it - as it is used to not only protect against inbound malicious attacks but to prevent outbound abuse also - Unfortunately free-hosting still gets abusive signups - and allowing those abusive users to disable something that helps to prevent their malicious actions would not be in x10hosting's best interest

caftpx10 · Dec 9, 2015

Unless the X10hosting servers (GNU/Linux) has something like Wine installed for some reason, this rule shouldn't be enabled as it does not pose any security risk.

doqkx10m · Dec 9, 2015

bdistler said:
while x10hosting discourage it - Premium account users have the ability to completely disable [ mod_security ] on their account via cPanel

Right...

So in essence I buy their already overpriced premium hosting service or I seek hosting elsewhere.
mmk thanks

bdistler · Dec 10, 2015

caftpx10 said:
...as it does not pose any security risk.

[ mod_security ] is used to not only protect against inbound malicious attacks but also to prevent outbound (from x10hosting) malicious attacks

caftpx10 · Dec 11, 2015

bdistler said:
[ mod_security ] is used to not only protect against inbound malicious attacks but also to prevent outbound (from x10hosting) malicious attacks

Note that this is a URL pattern check. This isn't to do with detection of something like cURL (in a PHP script) requesting one.

Dead-i · Dec 11, 2015

doqkx10m said:
Right...

So in essence I buy their already overpriced premium hosting service or I seek hosting elsewhere.
mmk thanks

Hi doqkx10m,

Sorry to hear you're having problems with this. The purpose of using mod_security on our servers is to protect our free hosting customers from common website attacks, and we would never use it to upsell premium hosting to you. Since our service is completely free, I'm sure you understand that we do get many users that create an account and install vulnerable, outdated software/plugins on their hosting account, making their website vulnerable and our servers vulnerable. Mod Security helps to prevent this.

I took a quick look at the server error logs, and it looks like files with the "cmd" extension are being blocked to prevent RFD attacks. While sometimes I'm able to disable mod_security rules for individual users if they are wrongly hitting a rule, this rule in particular is in place to prevent a common web attack, and this isn't something I would want to disable. Please consider using a different file extension (plus, distributing bat/cmd files usually isn't a good idea anyway).

Please let me know if you have any further questions.

Thank you,

caftpx10 · Dec 11, 2015

RFD? Makes sense in that case.

Files being 403 Forbidden'd, possibly due to its extension?

doqkx10m

New Member

caftpx10

Well-Known Member

bdistler

Well-Known Member

caftpx10

Well-Known Member

doqkx10m

New Member

bdistler

Well-Known Member

caftpx10

Well-Known Member

doqkx10m

New Member

bdistler

Well-Known Member

caftpx10

Well-Known Member

Dead-i

x10Hosting Support Ninja

caftpx10

Well-Known Member

Free Web Hosting

Our Community

Legal