Discussion in 'All Points Bulletin / Be on the Look Out' started by purr1n, Apr 30, 2019.
@dematted PM me your ad content and I’ll create it and make you author.
It was the word Precision that was causing the error. Bizarre.
Silly question and a bit of an aside, but while I vaguely recall that special characters can bollix threads for whatever reason I don't quite understand how specific words can trigger 403s. I just figured that something in the script doesn't want to play well with certain characters in particular areas and that's the end of that, but is it more like a filter of some sort?
My knowledge of computers only really goes so far as "press buttons to go bloop", so pardon if this seems banal or overly simple, but genuinely curious.
It's all just characters to the computer. Letters, special characters, words, spaces, punctuation, its all just strings of chars for the system to interpret to its liking. Whats more, different parts of the same system can interpret the same character/ string of chars differently depending on what it expects. Nothing surprises me anymore as far as what systems will choke on.
Sorry, I know I’m new here, and don’t mean to intrude, but as someone who has XKCD’s Bobby Tables as their Twitter header picture, I find this fascinating
To answer @Lyander question, a 403 usually means unauthorized (user permissions, no account, etc..) which I think is an odd one to use (400 bad request - request to server isn’t what would be expected - is better but it’s up to the devs of the server/service), but essentially what happens is, when searching for the thread, a database query is called using certain parameters in the request.
Here’s the fun part, I can change my request and manipulate those parameters, I don’t need to use the words in our links AND if I’m a lucky little hacker, I can do it in a way where I can actually execute my own SQL query or command. Don’t have a username or password, manipulate the expected query through the request to think I am. Page queries a table with sensitive data, make it give me all of it because it didn’t want to validate my request and the server side code might have full read access.
There are very easy ways to prevent this, seems like the company that implemented it took the hardest (might make sense for the use case since it is a forum that might need more dynamic queries... don’t want to get too detailed but even these are easy to handle using more modern language versions)
Edit: Just want to say, it’s the issue I find fascinating and their solution to a simple problem, as mentioned it might be their use case
My backgrounds more in highly scalable cloud native stuff so don’t want to make assumptions about what their needs are
Anyway, I don’t know if you guys found a permanent solution to this, so disregard this message if you did
Found a couple of culprits and solutions in the XenForo (third party software this site uses according to the footer), but because I have no insight on what plugins and such we are using, no clue if they’ll help, but thought I’d pass them on:
ModSecurity Needs Words Whitelisted
If using LinkChecker add on, updates have fixed 403 issues like this one (also added regex for filtering which is the right way to do it if you have to handle it at that level and not at DB/ORM level
ModSec seems to be the most prevalent one, and again I have no insight on how this is all setup so can’t really say
I'm paranoid of SQL injection and don't have time (money) to tweak things.
Pick two of the three.
@purr1n security first and foremost
This is a free forum for us to join, which I’m very thankful for, so completely understand just found those two and wanted to throw them out there
Not sure what sort of error this is but it started randomly happening a couple of weeks ago. If I refresh the page it clears.
My new Andromeda 2020 and MMW10 loaner thread gives an error when trying to open the thread. And here I thought I was being nice to SBAF.
But but...I'm nice to you.
Getting a 403 here:
Yeah--that's mine, the result of trying to post a F.S. here. I contacted SABF's general email address about this. Not sure what else to do.
Here's the URL to the nearly identical listing on "the other headphone site":
Fixed. It's the brackets.
Separate names with a comma.