我有一个奇怪的问题,它可能与我的Apache配置有关,而不是其他任何东西,但我不确定,所以我在这里问它。
我有一个联系人表单,在这个联系人表单中是一个文本区域。
如果我填写了联系人表单,在测试区域,我输入一行文本,例如
Test
表单完成后,我收到了电子邮件通知。但是,如果在文本区域内,我执行以下操作:
Test
Test
得到如下结果:
403 - Forbidden
Forbidden
You don't have permission to access /contact_us.php on this server.
# IF SEND QUERY BUTTON IS CLICKED
if (isset($_POST['sendQuery']) && $_POST['sendQuery'] == 'Send Query')
{
echo 'HALT HERE';
exit;
...
}
当我提交表单时使用:
Test
我得到HALT HERE,但是当我提交:
Test
Test
标记没有被触发,我得到403。这就是为什么我认为这可能与Apache有关,而不仅仅是我在PHP/HTML中做的事情。
有谁知道是什么原因导致这样的事情发生吗?提前感谢!
编辑:服务器是Apache 2与mod_security (+ oWasp定义)和mod_evasive
php.ini
disable_functions = php_uname, getmyuid, getmypid, passthru, fpassthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, escapeshellarg, escapeshellcmd, shell_exec, curl_exec, curl_multi_exec, exec, dl, set_time_limit, system, highlight_file, source, show_source, fsocketopen, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, parse_ini_file. ini_alter, popen, phpinfo
在vhost配置中,我设置了:
<LimitExcept GET POST>
deny from all
</LimitExcept>
Form HTML是:
<form class="remove-bottom" action="" method="post">
...
<textarea
name="userQuery" id="userQuery"
cols="40" rows="10"
value=""
maxlength="2000"
class="quarter-bottom"
></textarea>
...
</form>
我在apache错误日志中得到这个:
[Thu Mar 13 08:06:54 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd0751d6280 [id "950901"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/index.php"] [unique_id "UyFK-mAcYdcAACwKBI8AAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd0751d6280 [id "950901"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd075bb3940 [id "-"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"][line "27"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Warning. Match of "rx (?i:(<meta.*?(content|value)=''"text/html;''''s?charset=|<''''?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms"] [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd074f08b10 [id "-"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"][line "41"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Warning. Match of "rx (<meta.*?(content|value)=''"text/html;''''s?charset=utf-8|<''''?xml.*?encoding=''"utf-8''")" against "RESPONSE_BODY" required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8"] [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
other_vhosts_access.log显示:
test.com:80 my.ip.my.ip - - [13/Mar/2014:08:38:47 +0200] "POST /contact_us.php HTTP/1.1" 403 463 "http://www.test.com/contact_us.php" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0"
我们遇到了同样的问题。我们通过从ModSecurity配置中删除该规则来解决这个问题。