apache mod_security 说 - 访问被拒绝错误

发布于 2024-08-02 04:37:30 字数 1688 浏览 3 评论 0原文

背景 -

我的网站代码托管在 Linux 服务器上。我的网站允许雇主进行新注册 (http://www.gymandspajobs.com/Employer/Employer. PHP）。填写的表单由文件夹“/javascript”中的 JavaScript 进行验证，如果发现信息正确，则通过 JavaScript HTTP 请求对象和 PHP 文件“somefile.php”提交数据。 php”保存在根目录下的文件夹“/somefolder”中进行数据库插入。

问题 -

当新用户尝试使用 Firefox 注册时（我在 WinXP SP2、Firefox - v3.5.2 中进行了测试），我收到的 HTTP 响应（我在 JavaScript 文件中点击）为 “您无权访问此服务器上的 /somefolder/somefile.php。”。

令人惊讶的是，相同的功能在 IE7 和 Chrome 中运行得非常好。

问题的最新更新 -

我联系了我的网络托管人员，在收到他们的回复后，我的问题似乎已经解决。

我们已禁用您的域的 mod_security 来修复它。我们已将以下行输入到您域的 httpdocs 目录下的 .htaccess 文件中。我们还已验证并成功提交雇主注册，没有任何问题。 ~~~~~ SecFilterEngine关闭~~~~~~

虽然问题已经解决，但我认为“SecFilterEngine off”可能不是解决这个问题的最佳方案，因为它会损害安全性。因此，我问托管人员是否有办法保持 mod_security 开启，同时让我的功能正常工作……这是他们的答复……

问。有什么方法可以让我的代码在保持 mod_security 开启的情况下工作吗？
答。有可能的。但这并不容易。您必须修改文件中的代码，使 URI 不应具有模式“!(^application/x-www-form-urlencoded$|^multipart/form-data;)”因为我们在 apache 错误日志中找到了此条目 -
<块引用>
mod_security-action：403
mod_security-message：访问被拒绝，代码为 403。HEADER 处的模式匹配“!(^application/x-www-form-urlencoded$|^multipart/form-data;)”("内容类型”）

我通过 JavaScript 使用 HTTP 对象和 POST 方法 -

http.setRequestHeader('Content-Type','application/x-www-form-urlencoded')

请指导我需要在上面的代码行中进行哪些更改，以便 mod_security 可以保持打开状态，但我的注册表单将工作？

谢谢和问候，

-Rupak Kharvandikar-

原文

Background -

I have my website code hosted on a linux server. My website allows new registrations for employers (http://www.gymandspajobs.com/Employer/Employer.php). The filled-up forms are verified by JavaScripts in the folder "/javascript" and if the information is found ok, the data is submitted via JavaScript HTTP request object and the PHP file "somefile.php" kept in the folder "/somefolder" under the root directory does the database inserts.

Problem -

When a new user tried to register using Firefox (I tested in WinXP SP2, Firefox - v3.5.2), the HTTP response I used to get (which I tapped in my JavaScript file) was
"You don't have permission to access /somefolder/somefile.php on this server." .

Surprisingly, the same functionality worked perfectly well in IE7 and Chrome.

Latest Update on the Problem -

I contacted my web hosting guys and my problem seems to have been solved after I received this reply from them.

We have disabled mod_security for your domain to fix it. We have entered the below lines to the .htaccess file under the httpdocs directory for your domain. We have also verified and successfully able to submit the Employer registration without any issues. ~~~~~ SecFilterEngine off ~~~~~

Though the problem has got solved, I think making "SecFilterEngine off" may not be the best solution to this problem as it compromises security. Hence I asked the hosting guys if there is a way to keep mod_security ON and yet get my functionality to work...... here is their reply.....

Q. is there any way my code can work yet keeping mod_security ON?
Ans. It is possible. But it is not easy. You have to modify the code in the file in such a way that the URI should not have the pattern "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" because we found this entry in the apache error logs -
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type")

I am using the HTTP object and POST method via JavaScript as -

http.setRequestHeader('Content-Type','application/x-www-form-urlencoded')

Please guide me as to what changes do I need to do in the above line of code so that mod_security can be kept ON and yet my registration form will work?

Thanks and Regards,

-Rupak Kharvandikar-

分享到QQ

分享到微博