PHP 403 Error when uri have "[]"

Question

I creat server and install apache & php (Centos 64bit 6.x) i will creat file test.js.php

// Send correct type
header('Content-Type: text/javascript; charset=UTF-8');
// Enable browser cache for 1 hour
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 3600) . ' GMT');

if (! empty($_GET['scripts']) && is_array($_GET['scripts'])) {
    foreach ($_GET['scripts'] as $script) {
        // Sanitise filename
        $script_name = 'js';

        $path = explode("/", $script);
        foreach ($path as $index => $filename) {
            // Allow alphanumeric, "." and "-" chars only, no files starting
            // with .
            if (preg_match("@^[\w][\w\.-]+$@", $filename)) {
                $script_name .= DIRECTORY_SEPARATOR . $filename;
            }
        }

        // Output file contents
        if (preg_match("@\.js$@", $script_name) && is_readable($script_name)) {
            readfile($script_name);
            echo ";\n\n";
        }
    }
}

And i will access this file with url http://124.x.x.x/js/test.js.php?scripts[]=jquery1.11.js and server response error 403 Forbidden

Forbidden

You don't have permission to access /js/test.js.php on this server.
Apache/2.2.15 (CentOS) Server at xxxx.org Port 80

When i change scripts[] to scripts then working fine, but i want to know why my server response 403 if using scripts[] on URI?

Any ideal?

why are you using [] at all? `scripts=` makes sense. `scripts[]=` does not — , Jun 04 '14 at 03:32
@Dagon i will install PHPMyadmin in my server, and they have a file get scripts likes this but don't work `phpMyAdmin/js/get_scripts.js.php?token=482ce42ba410ac9d84d8dd716dac83c7&scripts[]=jquery/jquery-1.8.3.min.js` — Viet Nguyen, Jun 04 '14 at 03:34
@Dagon The brackets make the data an array, needed for PHP. e.g. `?foo[]=1&foo[]=2` — Wesley Murch, Jun 04 '14 at 03:35
This is a bit weird and since it's an apache error I don't think it has anything to do with your PHP code. Can you post your `.htaccess` file? Do you get the same error adding arbitrary GET data like `doesntexist.php?test[]=1`? — Wesley Murch, Jun 04 '14 at 03:39
@WesleyMurch Thanks for your idea, my folder don't have .htaccess but my root folder have htaccess file, and this file make my code don't work. Voted for you — Viet Nguyen, Jun 04 '14 at 03:45

score 1 · Answer 1 · edited May 23 '17 at 11:57

1

You must have mod_security enabled. mod_seciruty is a WAF (Web Application Firewall) module to prevent your server from cyber attacks.

"[]" in url can be used to exploit variable injection vulerabilities, so the WAF block your request to protect server. This error is raised from Apache.

Check out this similar thread:

GET with hyphens raises error 403

Disabling mod_security will instantly solve the issue, but it's really a terrible idea.

Try avoid using "[]". You can still implement the feature without it:

$scripts = explode($_GET['scripts'], ',');

edited May 23 '17 at 11:57

Community

1
1

answered Jun 04 '14 at 04:04

Can you link to any reference for this, as far as `?key[]` being blocked? It's not always possible to avoid brackets in keys in a clean way. – Wesley Murch Jun 04 '14 at 04:09
@WesleyMurch http://stackoverflow.com/questions/1885979/php-get-variable-array-injection – Jun 04 '14 at 04:16
I mean any reference to what `mod_security` actually blocks? I couldn't find it via Google. I'm pretty sure this is the right answer but I was just curious. – Wesley Murch Jun 04 '14 at 04:21
@WesleyMurch Sorry I'm unable to access StackOverflow recently, due to internet censorship of the Firewall you know. (Damn it!) `mod_secrity` filters harmful content from HTTP requests, including $_COOKIE, $_POST, $_GET. AFAIN, its rules are based on RegExp. You can check the log file to see which rule was fired during your request. – Jun 24 '14 at 03:44

PHP 403 Error when uri have "[]"

1 Answers1