• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Issue with query value "https%3A" in URL-Parameters results in 403 forbidden

Azurel

Azurel

Silver Pleskian
Server operating system version
AlmaLinux 8.5
Plesk version and microupdate number
18.0.44 Update #3
In one special page I have a script thats add a redirect-url to every URL. Offline in xampp all working fine. Upload it on my plesk server, I get a 403 page, if I try to call this urls. Simplified that is already enough to get a 403 page


Is this some kind of bug or is it meant to be?
 
That was my first thought too, but then shouldn't there be something about it in "/var/log/modsec_audit.log"? There is nothing to be found there.
 
Okay, I have new information about this. I can deactivate ModSecurity and this issue remains.

When I make this call on the top level of my domain
Like this https://www.mypage.com/?param=http
1. log access_ssl_log shows "GET /?param=http HTTP/1.0 403"
2. And I see a AlmaLunix test page
almatest.jpg

When I make this call in a subdirectory
Like this https://www.mypage.com/subdirectory/?param=http
Again in access_ssl_log a line with 403 and instead of "AlmaLinux Test Page" I get a page with
Forbidden
You don't have permission to access this resource.
Click to expand...


@Peter Debik Thanks, but there is nothing related to this in /var/log/http/error_log or /var/www/vhosts/system/logs/mydomain.com/error_log

The only strange think are this lines in /var/log/http/error_log
[Sat Jun 25 10:32:43.632945 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: lists:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.633247 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-2a01_4f8_242_4f94__2:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.633513 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-168_119_4_235:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.634584 2022] [lbmethod_heartbeat:notice] [pid 3952182:tid 139665695881536] AH02282: No slotmem from mod_heartmonitor
[Sat Jun 25 10:32:43.713455 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00489: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 Phusion_Passenger/6.0.13 configured -- resuming normal operations
[Sat Jun 25 10:32:43.713481 2022] [core:notice] [pid 3952182:tid 139665695881536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sat Jun 25 10:32:44.191499 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00493: SIGUSR1 received. Doing graceful restart

[Sat Jun 25 10:32:47.303427 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: lists:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.303697 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-2a01_4f8_242_4f94__2:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.303942 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-168_119_4_235:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.304980 2022] [lbmethod_heartbeat:notice] [pid 3952182:tid 139665695881536] AH02282: No slotmem from mod_heartmonitor
[Sat Jun 25 10:32:47.375465 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00489: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 Phusion_Passenger/6.0.13 configured -- resuming normal operations
[Sat Jun 25 10:32:47.375483 2022] [core:notice] [pid 3952182:tid 139665695881536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sat Jun 25 10:33:06.632605 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00492: caught SIGWINCH, shutting down gracefully
Click to expand...

But that not the timestamp with my issue. I can create now 403 and nothing is added to this error_log's for apache.
 
By the log excerpts I think you are looking into the general error_log of the server as httpd restarts or other service actions would not be logged to the site's error_log. Are you sure you are looking at /var/www/vhosts/<your subscription>/log/<your domain>/error_log?
 
Yes. The mention path
/var/www/vhosts/system/logs/mydomain.com/error_log
is equal to
/var/www/vhosts/<subscription>/logs/mydomain.com/error_log
Both files have the same content.

The log excerpts was for /var/log/http/error_log (genral error_log). In the domain erorr_log there is nothing related or timestamp for my issue.
 
Okay, I found the reason. I feel a little stupid right now. I did not expect that. This must have been in the htaccess (Additional Apache directives) for so many years. I don't even know why that's in there. Look like a very old protection, but I don't understand why this query string is here blocked.
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ – [F,L]
Click to expand...
Thanks for your help :)
 
You must log in or register to reply here.

Similar threads

D
Issue Node.js application doesnt show up on IP and neither on PORT, after deleting the default index.html i get 403 Forbidden page
Replies
1
Views
3K
robinrm
R
M
Forwarded to devs 403 Forbidden wont go away
Replies
1
Views
2K
SibProgrammer
SibProgrammer
Christoph Farnleitner
Question Password Generate button in template "ch_pass_by_secret.php" (reset login password screen)
Replies
4
Views
2K
Christoph Farnleitner
Christoph Farnleitner
C
WordCamp Seattle 2017: A Journey Across Continents – Recap
Replies
0
Views
1K
Carole Olinger
C
C
WordCamp Brighton: A Plesk Recap
Replies
0
Views
2K
Carole Olinger
C
Back
Top