Apache not processing encoded URLs with %3F - apache

The problem url links to my website are of the form
/fullpage.php%3F%20cp3_Hex%3D0F0200%26cp2_Hex%3D000000%26cp1_Hex%3DFC2024
The un-encoded url is
/fullpadge.php?cp3_Hex=0F0200&cp2_Hex=000000&cp1_Hex=FC2024
Apache returns a:
403: You don't have permission to access /fullpage.php? cp3_Hex=0F0200&cp2_Hex=000000
I have tried the following rewrite rule
RewriteRule ^/fullpage.php%3F(.*)$ /fullpage.php?$1
to no avail
Any ideas

You are almost certainly getting a 403 error.
The error is caused because ? is a banned file/directory name character on Windows and Linux. This means when Apache attempts to find a file or directory named "/document/root/index.php?blah" (after decoding) and it causes a 403 error. This is before the .htaccess files are read so you cannot use mod_rewrite in the .htaccess file to override this 403 error or an ErrorDocument defined in the .htaccess file to catch this error.
The only way to catch %3f is to use mod_rewrite or an ErrorDocument in a "VirtualHost" e.g. in httpd-vhosts.conf (or the main server configuration if there aren't any "Virtualhost"s e.g. in httpd.conf).

Related

local URL for apache ErrorDocument directive not working in .htaccess file

I want to use local URL (relative path) to show my custom 404 error message and it doesn't seem to be working as expected. As apache documentation stated here :
The syntax of the ErrorDocument directive is:
ErrorDocument <3-digit-code> <action>
where the action will be treated as:
A local URL to redirect to (if the action begins with a "/").
An external URL to redirect to (if the action is a valid URL).
Text to be displayed (if none of the above). The text must be wrapped in quotes (") if it consists of more than one word.
Methods 2 and 3 are working correctly. For testing purpose imagine a folder named test with 3 files.
index.php: main page
404.php: a custom 404 page
.htaccess:
RewriteEngine On
ErrorDocument 404 /404.php
Now accessing this URL http://localhost/test/blah-blah does not show my 404.php page instead a default Not Found page is displayed with this message:
The requested URL /tests/test-htaccess/asdasd was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.
Any idea how to fix this?
You probably found the solution to your problem since the time you asked, but for anyone having the same kind of issue, I would say the problem is that you are running your site with localhost.
The message says that Apache encountered a 404 error when trying to get the file specified for Errordocument 404, so it doesn't see
/404.php
I suggest you create a fake domain in your hosts file and set up a vhost with it.
Hosts on OSX :
sudo nano /etc/hosts
Hosts on Windows, Right-click this file to edit in administrator mode :
C:\WINDOWS\System32\Drivers\Etc\Hosts
and enter something like this:
127.0.0.1 myfakedomain.com
To set up virtual hosts, you must uncomment the call to httpd-vhosts.conf in httpd.conf (near the end, using MAMP in this case)
# Virtual hosts
Include /Applications/MAMP/conf/apache/extra/httpd-vhosts.conf
but the location of this file depends of the stack you are using (Wamp, Mamp, Xampp, etc) so search with the keyword "Virtual host" in its documentation.
Then you will be able to run your site using
myfakedomain.com/
in your browser and 404 errors should be handled the right way.

Apache forces URL to contain a backslash at the end of URL

I had just finished defining error pages using the ErrorDocument in httpd.conf. After restarting the server, I noticed that when I entered the address of a directory (not a file) like http://www.example.com/adirectory, Apache gave a "301 Moved Permenantly" error. Removing the ErrorDocument didn't do anything either. THe only way to access these URLs is to include a / at the end of the URL, like http://www.example.com/adirectory/ How can I allow URLs to be displayed without the / at the end. Thanks, San.
Check Apache rules.
Specifically .htaccess RewriteRule with a regular expression to end URL with a /

index.php/argument not found - strange issue with apache

when passing parameters after index.php its showing 404 error .. its apache error not the cms
but there is no problem accessing index.php directly
File does not exist: /home/me/web/test/index.php/a
File does not exist: /home/me/web/test/index.php/home
File does not exist: /home/me/web/test/index.php/contact
problem doesn't related to mod_rewrite because I am getting same error when index.php is in the URL ..
using .htaccess and mod_rewrite and removing index.php from url doesn't help :(
You're not making totally clear where those URLs come from, but from the looks of it, your web server's AcceptPathInfo directive isn't "On".
This directive controls whether requests that contain trailing pathname information that follows an actual filename (or non-existent file in an existing directory) will be accepted or rejected. The trailing pathname information can be made available to scripts in the PATH_INFO environment variable.

How do I display 404 errors instead of 403 errors in godaddy's Apache 1.3?

Apparently Apache 1.3 is used by no one except godaddy by now as I can't seem to find any relevant information for this.
I'd like to use .htaccess files to deny direct access to certain files on my site but without letting attackers know that such a file exists so I'd like to display a 404 "file not found" error instead of a 403 "forbidden" error.
Add following code in .htacess file.
RedirectMatch 404 ".*\/\..*"
it will prohibit access to all files or directories starting with a dot, giving a "404 Not Found" error.
with the help of
Is there a way to force apache to return 404 instead of 403?

.htaccess forcing error pages on SSL

I have the following piece of code in my .htaccess file to force redirecting to custom error pages:
ErrorDocument 404 /ErrorPages/404.php
ErrorDocument 403 /ErrorPages/403.php
ErrorDocument 400 /ErrorPages/generalError.php
ErrorDocument 401 /ErrorPages/generalError.php
ErrorDocument 500 /ErrorPages/generalError.php
Everything works fine on port 80, but when it comes to SSL, the standard error pages are shown.
To be more specific:
http:www.mydomain.com/NoExistingPage.php redirects to the custom error page
https:www.mydomain.com/NoExistingPage.php DOES NOT redirect to the custom error page
am I missing something here?
Thanks in advance
Try putting a duplicate .htaccess file in the /secured folder and see if that works. The vhost for the https daemon is probably using /secured as doc_root which means even if the .htaccess from the regular doc_root is below the secured folder it will be ignored.