when i pass url input to html form it redirects me to 403 page

xslikerx · Nov 8, 2015

I have uploaded simple script @ http://xsliker.tk/test/

two pages are there:

index.html

PHP:

<!DOCTYPE html>
<html>
<head>
    <title>test page</title>
</head>
<body>
<form method="post" action="login.php">
    <input type="text" name="name">
    <input type="submit" name="sb">
</form>
</body>
</html>

login.php

PHP:

<!DOCTYPE html>
<html>
<head>
    <title>success</title>
</head>
<body>
<p>you have logged in successfully.</p>
<a href="index.html">logout</a>
</body>
</html>

now if you enter url(such as http://google.com) to input on the index.html page you get redirected to 403 error page

please help.

consolev · Nov 8, 2015

works fine for me. Could be that your IP is blacklisted. Otherwise this is a server-side issue. A few people have complained about the 403 error recently, and it could be that your IP is dynamic and changes often, associating you with an IP that has previously been used for spamming

bdistler · Nov 8, 2015

xslikerx said:
now if you enter url(such as http://google.com) to input on the index.html page you get redirected to 403 error page

when I enter [ http://google.com/ ] - I receive a 403 error page that has format issues

IMO - this is a [ mod_security ] issue

consolev said:
Could be that your IP is blacklisted.

my IP address is not on any of x10hosting's servers blacklists

caftpx10 · Nov 8, 2015

This is part of the active rules set in mod_security2.
This rule is supposed to prevent things like remote file execution (using external URLs) and a XSS method.

It can be very useless in the type of situation which you had pointed out.

essellar · Nov 8, 2015

Believe it or not, there are very few instances where entering a URL into a field named "name" would not represent at least a preliminary attempt at malicious activity. Have you tried with a field named, say, "website", "site", "url" or "link"? Not all security rules are useless or heavy-handed; a lot of them actually make sense.

caftpx10 · Nov 8, 2015

essellar said:
Believe it or not, there are very few instances where entering a URL into a field named "name" would not represent at least a preliminary attempt at malicious activity. Have you tried with a field named, say, "website", "site", "url" or "link"? Not all security rules are useless or heavy-handed; a lot of them actually make sense.

Oops. I didn't make that clear.
For things such as name text boxes, it's of course important for those.
What I was referring to previously was the text fields that would be used to submit content to places such as blogs which can have URL(s) in their posts from time-to-time. When the rule gets triggered because of that one safe thing (still using the blog example), it isn't really helping on that part.

essellar · Nov 8, 2015

If the field names (the textarea names) make sense as content or body markers, the number of URLs posted doesn't fall into a typical spam profile, and the URLs do not have any side effects (no GET query strings), then yes, it should probably be considered "safe" by the system. It should also be noted that HTTP POST requests are far from being the only way that site owners can get information onto their own sites, but they're just about the only way a site user can do it without hacking the owner account.

xslikerx · Nov 8, 2015

essellar said:
Believe it or not, there are very few instances where entering a URL into a field named "name" would not represent at least a preliminary attempt at malicious activity. Have you tried with a field named, say, "website", "site", "url" or "link"? Not all security rules are useless or heavy-handed; a lot of them actually make sense.

Input types are for browsers, browser use it for client side verification purposes. Weather you use url or text (input type) you will get same thing on server side.

To be sure I've also tried it with input type url...

xslikerx · Nov 8, 2015

consolev said:
works fine for me. Could be that your IP is blacklisted. Otherwise this is a server-side issue. A few people have complained about the 403 error recently, and it could be that your IP is dynamic and changes often, associating you with an IP that has previously been used for spamming

Did you tried by entering a url in the text box?
And my if my IP is blacklisted then how I am able to access index page. (I should not be allowed to access any page then, if my IP is blacklisted!)

xslikerx · Nov 8, 2015

bdistler said:
when I enter [ http://google.com/ ] - I receive a 403 error page that has format issues

IMO - this is a [ mod_security ] issue

my IP address is not on any of x10hosting's servers blacklists

Yes there are format issues because css files are in root of www.xsliker.tk and I have uploaded these files to xsliker.tk/test

xslikerx · Nov 8, 2015

caftpx10 said:
This is part of the active rules set in mod_security2.
This rule is supposed to prevent things like remote file execution (using external URLs) and a XSS method.

It can be very useless in the type of situation which you had pointed out.

So now how can I get url input from users? Please do something it's very important to me. Fix that rule if possible.

essellar · Nov 9, 2015

xslikerx said:
Input types are for browsers, browser use it for client side verification purposes. Weather you use url or text (input type) you will get same thing on server side.

To be sure I've also tried it with input type url...

It's not the input type that matters (they're all the same - text - on submission) it's the name of the field, which becomes the name of a key in a key/value pair when submitted to the server. The server's security setup can use the key name as a hint to the expected value, and it does.

xslikerx · Nov 9, 2015

essellar said:
It's not the input type that matters (they're all the same - text - on submission) it's the name of the field, which becomes the name of a key in a key/value pair when submitted to the server. The server's security setup can use the key name as a hint to the expected value, and it does.

absolutely but for now, how can I get URL from users of my website?

essellar · Nov 10, 2015

Use a field name that implies that the user should enter a URL.

caftpx10 · Nov 10, 2015

In addition to what @essellar said, you should have client and (if you're going to use PHP for the submission handling) server side validation for that.
So, you could use the 'url' input type (so not 'text') or use JavaScript to pick it up before completing a submission.
If you need server-side, PHP offers many methods of getting accurate validation for that.

xslikerx · Nov 11, 2015

I've changed index.html to this: notice input type and name changed

PHP:

<!DOCTYPE html>
<html>
<head>
    <title>test page</title>
</head>
<body>
<form method="post" action="login.php">
    <input type="text" name="fbTokenURL">
    <input type="submit" name="sb">
</form>
</body>
</html>

now it works perfectly. But my old index.html page also works(on other servers).
it looks like in x10hosting if you want to get URL from user you must have word "*url*" in your input name field.

thank you @essellar & @caftpx10

when i pass url input to html form it redirects me to 403 page

xslikerx

New Member

consolev

New Member

bdistler

Well-Known Member

caftpx10

Well-Known Member

essellar

Community Advocate

caftpx10

Well-Known Member

essellar

Community Advocate

xslikerx

New Member

xslikerx

New Member

xslikerx

New Member

xslikerx

New Member

essellar

Community Advocate

xslikerx

New Member

essellar

Community Advocate

caftpx10

Well-Known Member

xslikerx

New Member

Free Web Hosting

Our Community

Legal