I have a PHP script which handles callbacks from a payment processor.
If the querystring ‘result’ contains double dashes followed by a single, we are getting a 403, e.g.
/index.php?result=A--B- (returns 403)
/index.php?result=A-B- (is OK)
/index.php?result=A-B-- (is OK)
/index.php?result=A--B (is OK)
/index.php?result=A---B (returns 403)
/index.php?result=A-B-C- (is OK)
For this site, there are no rewrite rules in .htaccess or apache config.
Loaded modules are as follows:
core prefork http_core mod_so mod_auth_basic
mod_auth_digest mod_authn_file mod_authn_alias
mod_authn_anon mod_authn_dbm mod_authn_default
mod_authz_host mod_authz_user mod_authz_owner
mod_authz_groupfile
mod_authz_dbm mod_authz_default util_ldap
mod_authnz_ldap mod_include mod_log_config mod_logio
mod_env mod_ext_filter mod_mime_magic mod_expires
mod_deflate mod_headers mod_usertrack mod_setenvif
mod_mime mod_dav mod_status mod_autoindex mod_info
mod_dav_fs mod_vhost_alias mod_negotiation
mod_dir mod_actions mod_speling mod_userdir mod_alias
mod_rewrite mod_cache mod_suexec mod_disk_cache
mod_file_cache mod_mem_cache mod_cgi mod_version
mod_security2 mod_unique_id mod_php5 mod_ssl
Of course it has been blocked by mod_security.
“–” is usually the beginning flag of a line comment in SQL. Sometimes programmers use user input (like $_GET[] array) directly to build a SQL query, which leads to a vulnerability called SQL Injection.
So mod_security will check such string in cookies, querystring and posted form. Once illegal string found, it will display a 403 Forbidden error.
If you do need “–” in your querystring and you are sure that you have handle querystring properly (or you don’t actually execute SQL queries) you can remove this rule from mod_security.
You may find the rule in
MOD_SRCURITY_INSTALLATION_PATH depends on your server environment.
You may find such rules near
and
Search rules that contain string
--and modify them.Since they are all written in RegExp you should learn it first.