You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marc Rabil <ma...@simplica.com> on 2005/10/12 20:23:46 UTC
[users@httpd] Problem with Less Than/Greater Than Characters in URL
Folks,
We have a web application that uses JavaScript to add a parameter and a
value to a URL before sending it to Apache server version 1.3.31. In some
cases, the value contains the less than (<) or greater than (>) characters
so we use the JavaScript escape function to convert the characters before
sending. So for a value such as '<<<', the URL looks like this:
http://localhost/ourapp/index.htm?value=%3C%3C%3C.
This causes Apache to return a 403 Access Forbidden error and says: 'Due to
the presence of characters known to be used in Cross Site Scripting attacks,
access is forbidden. This web site does not allow Urls which might include
embedded HTML tags'.
Is there a way to disable this security check or otherwise configure the
server to permit this type of URL?
Thanks in advance for any help,
Marc
Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
Posted by Joshua Kogut <jm...@gmail.com>.
You said that javascript send a variable to apache. Huh? Isn't javascript
(mostly) client-side? Also, you could also use different characters and then
compensate for that with mod_rewrite, I think. As far as disabling
mod_security, if you use apache as a local testing server you shouldn't need
to worry about security, but if its a production server, I would
On 10/12/05, Marc Rabil <ma...@simplica.com> wrote:
>
> Folks,
>
> We have a web application that uses JavaScript to add a parameter and a
> value to a URL before sending it to Apache server version 1.3.31. In some
> cases, the value contains the less than (<) or greater than (>) characters
> so we use the JavaScript escape function to convert the characters before
> sending. So for a value such as '<<<', the URL looks like this:
> http://localhost/ourapp/index.htm?value=%3C%3C%3C.
>
> This causes Apache to return a 403 Access Forbidden error and says: 'Due
> to the presence of characters known to be used in Cross Site Scripting
> attacks, access is forbidden. This web site does not allow Urls which might
> include embedded HTML tags'.
>
> Is there a way to disable this security check or otherwise configure the
> server to permit this type of URL?
>
> Thanks in advance for any help,
>
> Marc
>
>
--
|| jmkogut ||
email: jmkogut@gmail.com
|| Networking: Where all your problems are category 5. ||
Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
Posted by Joshua Kogut <jm...@gmail.com>.
On 10/12/05, Nick Kew <ni...@webthing.com> wrote:
>
> On Wednesday 12 October 2005 19:23, Marc Rabil wrote:
>
> > Is there a way to disable this security check or otherwise configure the
> > server to permit this type of URL?
>
> Sounds like mod_security to me. And of course you can configure it,
> or remove it completely. But it's right: what you're trying to do is a
> security risk.
>
> If it's not mod_security then it's your application itself, and completely
> out of apache's control.
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html > for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
|| jmkogut ||
email: jmkogut@gmail.com
|| Networking: Where all your problems are category 5. ||
Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
Posted by Nick Kew <ni...@webthing.com>.
On Wednesday 12 October 2005 19:23, Marc Rabil wrote:
> Is there a way to disable this security check or otherwise configure the
> server to permit this type of URL?
Sounds like mod_security to me. And of course you can configure it,
or remove it completely. But it's right: what you're trying to do is a
security risk.
If it's not mod_security then it's your application itself, and completely
out of apache's control.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org