GET with hyphens raises error 403

Question

I have a PHP script which handles callbacks from a payment processor.

If the querystring 'result' contains double dashes followed by a single, we are getting a 403, e.g.

/index.php?result=A--B-  (returns 403)
/index.php?result=A-B-   (is OK)
/index.php?result=A-B--  (is OK)
/index.php?result=A--B   (is OK)
/index.php?result=A---B  (returns 403)
/index.php?result=A-B-C- (is OK)

For this site, there are no rewrite rules in .htaccess or apache config.

Loaded modules are as follows:

core prefork http_core mod_so mod_auth_basic 
mod_auth_digest mod_authn_file mod_authn_alias 
mod_authn_anon mod_authn_dbm mod_authn_default 
mod_authz_host mod_authz_user mod_authz_owner 
mod_authz_groupfile 
mod_authz_dbm mod_authz_default util_ldap 
mod_authnz_ldap mod_include mod_log_config mod_logio 
mod_env mod_ext_filter mod_mime_magic mod_expires 
mod_deflate mod_headers mod_usertrack mod_setenvif 
mod_mime mod_dav mod_status mod_autoindex mod_info 
mod_dav_fs mod_vhost_alias mod_negotiation 
mod_dir mod_actions mod_speling mod_userdir mod_alias 
mod_rewrite mod_cache mod_suexec mod_disk_cache 
mod_file_cache mod_mem_cache mod_cgi mod_version 
mod_security2 mod_unique_id mod_php5 mod_ssl

Hi Peter, no framework being used, just a simple script. In fact testing this with a test.php only containing echo phpinfo(); has the same result. So I think the actual script is not relevant to the issue. Thanks — user1978903, Jan 15 '13 at 01:25
Does it work if you disable mod-security2? This is a Forbidden error, so security might be the problem. — Peter Wooster, Jan 15 '13 at 01:35
It works fine here without mod-security2, same query string, index.php shows phpinfo — Peter Wooster, Jan 15 '13 at 01:46
Yep, if I disable mod-security2 the script works (no 403). So ideally, I do not want to disable mod-security2. Any pointers on changing config to allow this kind of request? Thanks — user1978903, Jan 15 '13 at 01:53
I don't know enough to provide an answer, but it might be in the SQL injection rules if there are any. often -- is put in a SQL parameter to comment out the rest of a statement. — Peter Wooster, Jan 15 '13 at 01:58
You might want to retitle this post to indicate that it is a mod_security2 issue. — Peter Wooster, Jan 15 '13 at 02:00
I retitled it for brevity,clarity. I took out mod_security2 because the tag should be adequate. — Smandoli, Jan 15 '13 at 14:01

score 3 · Accepted Answer · edited Jan 15 '13 at 13:53

Of course it has been blocked by mod_security.

"--" is usually the beginning flag of a line comment in SQL. Sometimes programmers use user input (like $_GET[] array) directly to build a SQL query, which leads to a vulnerability called SQL Injection.

So mod_security will check such string in cookies, querystring and posted form. Once illegal string found, it will display a 403 Forbidden error.

If you do need "--" in your querystring and you are sure that you have handle querystring properly (or you don't actually execute SQL queries) you can remove this rule from mod_security.

You may find the rule in

MOD_SRCURITY_INSTALLATION_PATH/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

MOD_SRCURITY_INSTALLATION_PATH depends on your server environment.

You may find such rules near

#
# -=[ Detect SQL Comment Sequences ]=-
#

and

#
# -=[ PHPIDS - Converted SQLI Filters ]=-
#
# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
#

Search rules that contain string -- and modify them. Since they are all written in RegExp you should learn it first.

This could be a great answer except that your last line isn't very good. Upper case is shouting, and editing the rules will remove certain safeguards but desn't lower the functionality or cause Apache to stop working. There are numerous sets of security rules, if the user always uses prepared statements or doesn't use SQL they can delete all the SQL rules. Also you are making assumptions about the OPs rule set, I suspect those line numbers relate to the default, if so you should say so. If you fix these, you'll get my vote. — Peter Wooster, Jan 15 '13 at 12:43
I just encountered the same with multiple consecutive plus signs. Can someone confirm this was blocked by the same mechanism? — Ogier Schelvis, Nov 22 '18 at 08:26

GET with hyphens raises error 403

1 Answers1

Linked