0

update 2022-05-14

i found that server shows 403 when post request, not get request. get reqeust works well, not post.

hi i got problem with the apache server

that server started response 403 Access Denied in unexpectedly when users access some files. that files was working well before it. and other files in same directory can access well.

detailed error message is " You don't have permission to access "{FILE_PATH}/cart_write_exec.php" on this server."

i try to fix it with bunch of stackoverflow pages:

Directory Indexes: Error message "Forbidden You don't have permission to access / on this server"

cart_write_exec.php is specific php file. not directory. so i think it is useless

deny,allow directives: Error message "Forbidden You don't have permission to access / on this server"

that server's httpd.conf is already seted. and i didn't any modify to that file since 2012.

<Directory /home/*>
    AllowOverride All
    Options +ExecCGI
    Order allow,deny
    Allow from all
</Directory>

Require directive (Apache 2.4): Error message "Forbidden You don't have permission to access / on this server"

that server's apache version is 1.3.37

Files permissions: Error message "Forbidden You don't have permission to access / on this server"

cart_write_exec.php is already 777 and directory contained that file is 777 too.

drwxrwxrwx  4 image***   502   4096  5▒▒ 11 21:32 .
drwxr-xr-x 33 image***   502   4096  4▒▒ 24 18:33 ..
drwxrwxrwx  2 image*** users   4096  4▒▒  7 21:43 bak
-rwxrwxrwx  1 image*** users   3667  5▒▒ 11 21:18 cart_write_exec.php
drwxrwxrwx  3 image***   502   4096  4▒▒ 18  2012 img
-rwxrwxrwx  1 image*** users  20682  1▒▒ 24  2011 login_oo.html
-rwxrwxrwx  1 image*** users  20682  1▒▒ 24  2011 login_oo.php
-rwxrwxrwx  1 image***   502  20758  9▒▒ 29  2011 oo.html
-rwxrwxrwx  1 image*** users  10485  9▒▒ 28  2011 oo_list.html
-rwxrwxrwx  1 image*** users 100240  5▒▒ 11 21:32 pu.html
-rwxrwxrwx  1 image*** users  23934  4▒▒  7 21:37 pu.js
-rwxrwxrwx  1 image*** users  44927  4▒▒  7 22:44 pu_h.20220407.html
-rwxrwxrwx  1 image*** users  13741  4▒▒  7 22:45 pu_h.20220407.js
-rwxrwxrwx  1 image*** users  44440  4▒▒  7 22:44 pu_h.html
-rwxrwxrwx  1 image*** users   5593  4▒▒  7 22:45 pu_h.js
-rwxrwxrwx  1 image*** users   8949  4▒▒ 19  2012 web.html
-rwxrwxrwx  1 image*** users  45834  2▒▒ 17  2012 web4444.html
-rwxrwxrwx  1 image***   502   9936  7▒▒  3  2008 web4444444444.html

SELinux security context: https://www.happyjung.com/lecture/2481

i think selinux security context is not installed on my server.

cuz ls -alZ is shows nothing like below.

drwxrwxrwx  image*** users                                  bak
-rwxrwxrwx  image*** users                                  cart_write_exec.php
drwxrwxrwx  image***   502                                  img
-rwxrwxrwx  image*** users                                  login_oo.html
-rwxrwxrwx  image*** users                                  login_oo.php
-rwxrwxrwx  image***   502                                  oo.html
-rwxrwxrwx  image*** users                                  oo_list.html
-rwxrwxrwx  image*** users                                  pu.html
-rwxrwxrwx  image*** users                                  pu.js
-rwxrwxrwx  image*** users                                  pu_h.20220407.html
-rwxrwxrwx  image*** users                                  pu_h.20220407.js
-rwxrwxrwx  image*** users                                  pu_h.html
-rwxrwxrwx  image*** users                                  pu_h.js
-rwxrwxrwx  image*** users                                  web.html
-rwxrwxrwx  image*** users                                  web4444.html
-rwxrwxrwx  image***   502                                  web4444444444.html

but i try do the chcon --type=httpd_sys_content_t cart_write_exec.php. it returns error: chcon: can't apply partial context to unlabeled file cart_write_exec.php

that server's apache version is 1.3.37, php version is 4.4.7, centos version is centos-release-5-1.0.el5.centos.1... whatever..

Seunghaekim
  • 77
  • 3
  • 2
    Security support for the 1.3 branch of Apache HTTPD ended 12 years ago! You aren't even running the latest patch! Upgrade to 2.4. – Quentin May 11 '22 at 13:29
  • Those permissions are terrible for a production environment. 755 folders and 644 files. Then check file and folder owners, the owner should match the owner of apache. Something like www or www-data as the owner. Uploading a file over ftp and upload in a php/html form will set different owners, fyi – MisterG13 May 11 '22 at 13:35
  • @MisterG13 well. i changed a permission of files and directory that contain the file to 755 and 644. but it doesn't help. that server still can't `access cart_write_exec.php`. i checked the ownership of httpd. it was root. so i changed ownership of `cart_write_exec.php` to `root`. but it doesn't help. i wish someone shot my head. then i can tell him to my client 'oh sorry, your server is dead, and i'm dead too.'. anyway, Thank you very much of your comment – Seunghaekim May 12 '22 at 14:37
  • @Quentin yeah. i know it. i didn't expected i can see the apache server that under version 2. but i saw it. and it kicked me up. anyway. actualy that is not my server. MY CLIENT'S server. but i call it mine. cuz i have some pronoun problem. – Seunghaekim May 12 '22 at 14:40
  • 1
    Try checking php's temporary upload directory... https://stackoverflow.com/a/6034073/19070801 – MisterG13 May 12 '22 at 15:30
  • @MisterG13 i checked it up. it shows nothing. owner is root, apache owner is root, too. and permission is 777. – Seunghaekim May 13 '22 at 12:59
  • if it is empty, change to '/tmp' (linux) like the link describes. do not use the root user. PHP, apache and the destination folder show all have the same owner, usually 'www-data'. if needed create the user. you can use https://superuser.com/questions/91935/how-to-recursively-chmod-all-directories-except-files to fix all permissions faster. also check php ini for file uploads ON https://stackoverflow.com/questions/30433932/how-to-add-file-upload-in-php-ini#30433980 – MisterG13 May 13 '22 at 16:58
  • @MisterG13yes. actualy upload_tmp_dir show me /tmp. and if php fileupload is off it must shows php error, not apache error. – Seunghaekim May 13 '22 at 23:02
  • @MisterG13 i found it just shows 403 error on post request. not on get request. – Seunghaekim May 14 '22 at 08:06
  • Then the problem is in the code on the cart page. If Apache is several versions out of date, I imagine the code syntax is also. Try debugging the cart page, find the last line of successful code execution – MisterG13 May 14 '22 at 13:48

0 Answers0