Resolved Issue with query value "https%3A" in URL-Parameters results in 403 forbidden

[Azurel]

Server operating system version

AlmaLinux 8.5

Plesk version and microupdate number

18.0.44 Update #3

In one special page I have a script thats add a redirect-url to every URL. Offline in xampp all working fine. Upload it on my plesk server, I get a 403 page, if I try to call this urls. Simplified that is already enough to get a 403 page

https://www.mypage.com/redirect?url=https%3A

Is this some kind of bug or is it meant to be?

 

[Azurel]

edit is disabled. I want to add, that is enough to get 403 in my case:

https://www.mypage.com/?url=http

https://www.mypage.com/?test=http

thats working fine

https://www.mypage.com/redirect?url=httx

Is here a issue with "=http"?

 

[Kaspar]

Sounds like a WAF/ModSecurity issue. Do you have WAF/ModSecurity enabled?

 

[Azurel]

That was my first thought too, but then shouldn't there be something about it in "/var/log/modsec_audit.log"? There is nothing to be found there.

 

[Bitpalast]

That was my first thought too, but then shouldn't there be something about it in "/var/log/modsec_audit.log"? There is nothing to be found there.

You'll find it in the regular Apache error_log file.

 

[Azurel]

Okay, I have new information about this. I can deactivate ModSecurity and this issue remains.

When I make this call on the top level of my domain
Like this https://www.mypage.com/?param=http
1. log access_ssl_log shows "GET /?param=http HTTP/1.0 403"
2. And I see a AlmaLunix test page


When I make this call in a subdirectory
Like this https://www.mypage.com/subdirectory/?param=http
Again in access_ssl_log a line with 403 and instead of "AlmaLinux Test Page" I get a page with

Forbidden
You don't have permission to access this resource.

@Peter Debik Thanks, but there is nothing related to this in /var/log/http/error_log or /var/www/vhosts/system/logs/mydomain.com/error_log

The only strange think are this lines in /var/log/http/error_log

[Sat Jun 25 10:32:43.632945 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: lists:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.633247 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-2a01_4f8_242_4f94__2:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.633513 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-168_119_4_235:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.634584 2022] [lbmethod_heartbeat:notice] [pid 3952182:tid 139665695881536] AH02282: No slotmem from mod_heartmonitor
[Sat Jun 25 10:32:43.713455 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00489: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 Phusion_Passenger/6.0.13 configured -- resuming normal operations
[Sat Jun 25 10:32:43.713481 2022] [core:notice] [pid 3952182:tid 139665695881536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sat Jun 25 10:32:44.191499 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00493: SIGUSR1 received. Doing graceful restart

[Sat Jun 25 10:32:47.303427 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: lists:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.303697 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-2a01_4f8_242_4f94__2:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.303942 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-168_119_4_235:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.304980 2022] [lbmethod_heartbeat:notice] [pid 3952182:tid 139665695881536] AH02282: No slotmem from mod_heartmonitor
[Sat Jun 25 10:32:47.375465 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00489: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 Phusion_Passenger/6.0.13 configured -- resuming normal operations
[Sat Jun 25 10:32:47.375483 2022] [core:notice] [pid 3952182:tid 139665695881536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sat Jun 25 10:33:06.632605 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00492: caught SIGWINCH, shutting down gracefully

But that not the timestamp with my issue. I can create now 403 and nothing is added to this error_log's for apache.

 

[Bitpalast]

By the log excerpts I think you are looking into the general error_log of the server as httpd restarts or other service actions would not be logged to the site's error_log. Are you sure you are looking at /var/www/vhosts/<your subscription>/log/<your domain>/error_log?

 

[Azurel]

Yes. The mention path
/var/www/vhosts/system/logs/mydomain.com/error_log
is equal to
/var/www/vhosts/<subscription>/logs/mydomain.com/error_log
Both files have the same content.

The log excerpts was for /var/log/http/error_log (genral error_log). In the domain erorr_log there is nothing related or timestamp for my issue.

 

[Bitpalast]

Is the subscription domain the same that is also used for Plesk panel access?

 

[Azurel]

Okay, I found the reason. I feel a little stupid right now. I did not expect that. This must have been in the htaccess (Additional Apache directives) for so many years. I don't even know why that's in there. Look like a very old protection, but I don't understand why this query string is here blocked.

RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ – [F,L]

Thanks for your help