4

I'm trying to set a cookie for my phpBB forums from a MediaWiki login page. Using the hook after a login to the wiki is successful, I want to run a php script that sets the cookie.

The script works when I run it independently or when I use GET , but for security reasons I want to POST to the script. For this I figured curl would be the best option.

Unfortunately, even the basic script like this:

curl_setopt($ch, CURLOPT_URL, "http://www.example.com/ForumLogin.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);

Gives me a 403 Forbidden error. There's no rules in robots.txt that should interfere. What else could I try to get the script to work, or are there any other ways I could run the script from within MediaWiki?

Nemo
  • 2,441
  • 2
  • 29
  • 63
Stephan Muller
  • 27,018
  • 16
  • 85
  • 126
  • FWIW, there are several MediaWiki extensions around for phpBB integration. https://www.mediawiki.org/wiki/Extension:PHPBB/Users_Integration – Nemo Apr 06 '15 at 11:16

4 Answers4

6

For my specific project, the server would throw a 403 error if an error occurs, but still return data. So to get around the issue, I did this:

curl_setopt($ch, CURLOPT_FAILONERROR, 0); // Fail on errors

If you disable the fail on errors, you might still get some data back. Hope that helps.

rockstardev
  • 13,479
  • 39
  • 164
  • 296
5

I'd suspect the justification for this is explicitly to stop automated behaviour - an anti-bot or general security measure. You may wish to look at the source code of the destination site and check for any such measures - a quick search of the code for '403' might offer some insight. It may even be the case that POST requests are not legitimate in that context - and thus prevented for security reasons.

I'm not sure what you mean by 'for security reasons' by the way. POST isn't more secure than GET. They're both open to just as much scrutiny.

Rushyo
  • 7,495
  • 4
  • 35
  • 42
  • The destination is a hand-scripted page of about 20 rules. I didn't send a POST yet, even the basic script in the question is denied by the receiving script. Also, because I have to send the username and password from one script to the other I figured I shouldn't do that in the query string of an url. Am I wrong? – Stephan Muller Sep 17 '10 at 13:24
  • Have you checked the server configuration? How about other pages? Regarding the other issue: POST is no more secure. You need SSL to keep the information secret in transit. – Rushyo Sep 17 '10 at 13:44
  • 1
    Ok, I realize when using curl GET and POST don't make a difference, but I chose for curl because I didn't want a GET in the url. Which is less safe, because it saves your username and pass as a query string in the browser history. Anyway, it's not the issue. What should I check in the server configuration? – Stephan Muller Sep 17 '10 at 13:52
  • That depends on the server. Anything related to access privileges really... I'd also recommended testing cURL is working as intended by making a similar req. to another document (if you haven't already). You need to rule out as many variables/technologies as possible to narrow down the options (there's a million reasons you might get a 403, it's kinda like saying you got a BSOD for accessing protected memory). ...and no, it's no less safe. Trust me. Making it obscure doesn't make it any more secure. Staple rule of security. – Rushyo Sep 17 '10 at 13:56
  • Bah, this is gonna suck :P Thanks for the advice, I'll probably accept your answer somewhere today when I give up. – Stephan Muller Sep 17 '10 at 14:08
  • well, even if I strip everything from the two scripts and try to curl one page from the other I get the error :/ – Stephan Muller Sep 17 '10 at 14:42
  • What about if you try to cURL another server? Do you still get a 403? If not, I'd check your server configuration first and foremost for anything related to access privileges. – Rushyo Sep 17 '10 at 14:50
4

My solution for this was to set the User Agent option, so the cURL can pretend to be a browser . An example of this set up in php is

curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6');

References:

Jp_
  • 5,973
  • 4
  • 25
  • 36
3

to act/request like real try "curl/7.39.0" user agent 

$useragent= "curl/7.39.0";
curl_setopt($ch,CURLOPT_USERAGENT, $useragent);

or try randam user agents from browsers array list like

//browser pack start
         $useragents=array(
      "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4",
      "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4",
      "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53",
      "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
      "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
      "Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53",
      "Mozilla/5.0 (iPad; CPU OS 4_3_5 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8L1 Safari/6533.18.5",
      "Mozilla/5.0 (Linux; U; en-us; KFAPWI Build/JDQ39) AppleWebKit/535.19 (KHTML, like Gecko) Silk/3.13 Safari/535.19 Silk-Accelerated=true",
      "Mozilla/5.0 (Linux; U; en-us; KFTHWI Build/JDQ39) AppleWebKit/535.19 (KHTML, like Gecko) Silk/3.13 Safari/535.19 Silk-Accelerated=true",
      "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.141.16-Gen4_11004310) AppleWebkit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true",
      "Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; Nexus S Build/GRJ22) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",
      "Mozilla/5.0 (Linux; Android 4.3; Nexus 7 Build/JSS15Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.72 Safari/537.36",
      "Mozilla/5.0 (Linux; Android 4.2.1; en-us; Nexus 5 Build/JOP40D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Mobile Safari/535.19",
      "Mozilla/5.0 (BB10; Touch) AppleWebKit/537.10+ (KHTML, like Gecko) Version/10.0.9.2372 Mobile Safari/537.10+",
      "Mozilla/5.0 (Linux; Android 4.3; Nexus 10 Build/JSS15Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.72 Safari/537.36",
      "Mozilla/5.0 (Linux; U; Android 2.3; en-us; SAMSUNG-SGH-I717 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",
      "Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
      "Mozilla/5.0 (Linux; U; Android 4.0; en-us; GT-I9300 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
      "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36",
      "Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",


         "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36");
            //browser pack end
  $useragent=$useragents[rand()%sizeof($useragents)];
     curl_setopt($ch,CURLOPT_USERAGENT, $useragent);
Hassan Saeed
  • 6,326
  • 1
  • 39
  • 37