PDA

View Full Version : CPanel causing redirects when submitting URLs in form fields



mikemoff
10-26-2011, 05:58 PM
Has anyone else had any issue like this with Cpanel? I have a simple form that submitts a link in a text field. When I do, I get a 403 Forbidden access error. After looking at my error logs it looks like a redirect is being triggered to a non existent page (public_html/sys_cpanel). This will even happen if I simply append an encoded "http://" in a url parameter. Submitting URLs and passing URLs in parameters is a pretty common practice. Surely someone else has run into this problem. See this page as an example of what I'm talking about.

http://sl-507-12.slc.westdc.net/~pantheon/formtest.html

or this...

http://sl-507-12.slc.westdc.net/~pantheon/index.html?test=http%3A%2F%2F

I wasted several hours trying to figure out why I was getting errors in my form submits and finally narrowed it down to the one of the fields containing an "http://". If there is no work around for this, this westhost account will be cancelled.

- Mike

wildjokerdesign
10-27-2011, 05:19 AM
I think it is simply because of how you are accessing your account via the user name. Once you access it via your domain name you should be ok.

mikemoff
10-27-2011, 12:53 PM
Good suggestion, though it looks like it didn't resolve the problem. The error message is slightly different but I think the same thing is essentially happening. Support suggested it had to do with a conflict with ModSecurity. This seems crazy too me, not being able to submit URL's in a form or passing as a URL argument?

http://www.pantheonstaging.com/formtest.html
http://www.pantheonstaging.com/index.html?test=http%3A%2F%2F

- Mike

wildjokerdesign
10-27-2011, 08:19 PM
Mike,
On the first page you have posted with the form it works fine for me. I get a submitted result page which I assume is what your back code is set to do at the moment. The second URL gives a forbidden but I don't see how that is a problem in fact I don't think you would really want someone to submit data via the url anyway or at least I wouldn't. I would want them to go through the page with the form on it.

mikemoff
10-28-2011, 06:33 PM
The form worked after Westhost admins made a change to the mod_security settings. The other link was just another test to show they have something in the apache settings (likely mod_security) that is redirecting or causing an error when an encoded "http://" is in the url. I had another form that was still getting the same error even after they made the change, so there must be an additional form field value that is triggering this affect. I have since had that account cancelled and moved to another hosting provider as I wasn't in the mood to spend more hrs troubleshooting what else was conflicting with how they've got mod_security setup on this server. If Westhost is going to setup mod_security in this overly aggressive fashion, they should consider making available what kind of requests will conflict or get redirected, so the next guy doesn't waste valuable time guessing what's causing the problem. On a side note, I do not get these errors on and older Westhost account that uses Site Manager instead of Cpanel. Thanks for your help and feedback Shawn.

- Mike