2

I am working on solving an issue within my Apache servers that will return a 403 Forbidden page when I attempt to go to a URL with sub-directories and the sub-directories do not exist.

"domain.com/etc/" Will return a 403 Forbidden error instead of a 404.

"domain.com/cd/" Will return a 403 instead of 404

"domain.com/xss/" Will return a 403 instead of a 404.

I've tried other URL/sub-directories like domain.com/bin/ returns 404. I've added this line to the HTACCESS file.

ErrorDocument 403 /error404.php

Which will make all 403 returns display a 404 page. However, this isn't good if the page is actually suppose to return a 403.

Anyone know how I can determine why these three sub-directories are returning with a 403 and not a 404. NOTE: I believe that these 3 are the only three I've been able to get to return a 403 Forbidden page on.

Is this an issue with the HTACCESS file, httpd.conf, Vhost.conf, or a php file? These directories DO NOT exist on the server. Any help would be much appreciated.

user2933689
  • 21
  • 2
  • Look into your Apache error.log – anubhava Oct 29 '13 at 19:59
  • Do you have .htaccess file in xss OR etc directory? – anubhava Oct 29 '13 at 20:08
  • Thanks for the comment. probably should have added that to my original context. I've checked the /var/log/httpd/error_log and there is nothing written there since Oct. 27 2013. This has been an issue for some time now. – user2933689 Oct 29 '13 at 20:09
  • Restart the Apache to get error file working. – anubhava Oct 29 '13 at 20:10
  • No there is no /cd or /xss directories. And my etc directory doesn't have an .htaccess file. – user2933689 Oct 29 '13 at 20:14
  • Restarted Apache, there is no Error hitting the error log. When going to domain.com/cd/ or domain.com/etc/ or domain.com/xss/ nothing is being reported. In order to make sure the logs were working I caused an https error. I got that in the error log. – user2933689 Oct 29 '13 at 20:20
  • Every 404 OR 403 should be reported in error.log – anubhava Oct 29 '13 at 20:21
  • I found were the error log was at. I do have an error states file does not exist when I hit a directory that isn't any of those three. I do get access log that creates when I attempt to use any of those three directories. The 403 Forbidden is not erroring out only goes to the access_log – user2933689 Oct 29 '13 at 20:36
  • Here is the access log entry. GET /etc/ HTTP/1.1" 403 302 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36" – user2933689 Oct 29 '13 at 20:43
  • This access log is actually the error log. Only programming language is in the "error_log". So the GET /etc/ HTTP/1.1 403 302 is the error. How can I make those three directories respond as a 404? – user2933689 Oct 29 '13 at 20:58
  • Can you post your complete .htaccess file? – anubhava Oct 29 '13 at 20:59
  • I'll have to take somethings out probably. let me check and see what I can do. I personally do like to post entire file on the Internet. What specifically would you be looking for? – user2933689 Oct 29 '13 at 21:10
  • You can hide all domain names etc, I suspect some directive in there might be causing 403 – anubhava Oct 29 '13 at 21:11
  • Because of the client we have with this htaccess file and the contents I'm sorry however I cannot post the file online. I've been reassured that the .htaccess file is not the problem. That being said, is there a mod_ or something in Httpd.conf that could be causing this type of output? – user2933689 Oct 29 '13 at 21:14
  • I've got two Developers looking at the htaccess file again to ensure that both agree that the directives are not the cause. This will take some time to remove the client specific information to be able to post what I can... I know it's kind of a shot in the dark if I can't post that file so I am sorry and I do really appreciate the feed back. – user2933689 Oct 29 '13 at 21:16
  • You can just rename .htaccess and rety this URL to see whether 403 is still there. – anubhava Oct 29 '13 at 21:17
  • Did that and I still get the same 403 error. Tried to just hit the site and because of no htaccess file I get no webpage but still get 403 error. – user2933689 Oct 29 '13 at 21:23
  • Post your vhost file with masked domains and post your httpd.conf. Also, .htacces would help... ALOT – Sibin Grasic Oct 29 '13 at 21:50
  • I figured out that this a Mod_security issue and that mod_security is causing these three directory calls to respond with a 403 error. The /xss call is being blocked by modsecurity_crs_41_xss_attacks.conf; the /etc & /cd are from the modsecurity_crs_40_generic_attacks.conf. Anyone know about Mod_Security? – user2933689 Oct 30 '13 at 13:53

1 Answers1

0

I've figured this out.

Mod_security rules crs_40_general_attacks and crs_41_xss_attacks are the cause. I've located the SEC_rules that are being called, commented those rules out and now I do not get the 403 error. The /cd is redirected to the landing page and the other two return 404 errors. :) Yeah for me :) Thanks to everyone that tried to help I truly appreciate it.

user2933689
  • 21
  • 2