Apache 403 Error - apache

I can access certain links from my site with no issue. However, if I try and manually type in the same URL as the link/button I get a 403 error.
FOr instance http://www.sumobid.com/logout.php
I have verfied the permissions on the file but am still getting the error.
This is on a dedicated server.
Any ideas?

Sounds like you're not logged in for the second case. I.e., you can't logout if you're not logged in.
Edit: I.e., it seems as if the app is throwing a 403 for pages that require auth but don't have it. (As opposed to, say, redirecting to the login page.)

Seems I fixed my own problem. It turns out that I had inadvertently turned on LinkProtection in cPanel. Once that was disabled everything started working as it should

Related

403 Forbidden after Github Action

I have an Laravel 8 Api application that was running 100% in a shared vps hosting.
Everything was fine, then I add a github action in order to do a simple CD/CI using the https://github.com/SamKirkland/FTP-Deploy-Action.
Since then, something was happened to all my directories permissions, so I having a 403 Forbidden HTTP Error message in all the API endpoints.
Can someone help me in this issue? Thanks a lot.
Considering SamKirkland/FTP-Deploy-Action is not suppose to change file permission, the root cause should be:
either some config cache issue
some missing bearer token
a missing custom request class authorize() method
Checking the logs should help narrowing the possible issues.

AWS Cognito built-in UI error posting credentials when using response_type=code

I have spent a significant amount of time searching for a solution here and can't find one. Here is the situation:
I am using the built-in Cognito UI
When I redirect my app to the UI with response_type=code, I get to the login page fine. When I enter my credentials and click "Sign In" the post request to the /login cognito endpoint results in a 405 method not allowed
If I instead redirect my app with response_type=token, it redirects to my return_url with no problem, but the parameters are harder to retrieve as they are hash parameters instead of query parameters.
I am actually a little surprised either one works because the documentation seems to indicate the /login endpoint is GET only: https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html
I'd prefer to use the code response_type anyway. Am I doing something wrong here? Is anyone else having this issue? I don't think I'm doing anything unusual. It feels to me like something is just broken in the built-in ui flow. I have definitely discovered that I should not be using the built-in UI, but I'd like to get this working and then replace it if possible.
Please let me know if you need more information and I'd be happy to provide it.
EDIT: It actually does work if I make the redirect_url google.com, which means it's something with my app and the redirect, but there is basically no indication about what is wrong. Anyone know where I can find any kind of relevant logs or information related to these types of errors in Cognito?
Alright this appears to be a bug in the built-in UI and I'll file it with Amazon. I finally figured out that my redirect_uri I was sending over had a trailing slash and the one I configured in Cognito did not have a trailing slash. It works when I remove this.
The reason I believe this is a bug is because normally when I pass in an invalid redirect, the UI immediately sends me to a page with that error. When the only difference is a trailing slash, I can go through the login flow fine, but it hits that 405 method not allowed error when trying to redirect back to my flow.
Not sure if anyone else will run into this very odd edge-case, but hopefully this is helpful if you do.

Query string (URL) lead to 403

Please help me on this.Already tried disable mode_security module through .htaccess no use.
PHP Version 5.6.30
Apache redirect the request to 403 page if pass parameter below.
&test[object_type]=0
The name (object_type) leads to 403 page.
eg:http://www.cudec.com.my/?test[object_type]=0 ✖ NOT WORKING LEADS TO 403
eg:http://www.cudec.com.my/?test[object_types]=0 ✓ WORKING
Will update this post to a full answer as soon as I got more information to work with ;)
I tried to call the 403-URL:
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
You ensured that ModSecurity is the one replying with 403? Looks more like the folder permissions are insufficient.
Check if your DocumentRoot is at least readable for users (an 'r' at the last triple or 4 in the last byte).
If it's really ModSecurity, have a look into /var/log/apache2/modsecurity_audit.log and you should see which rule (by ID) is the one throwing 403 and also the reason (Error-Msg in the rule) why.
Does http://www.cudec.com.my/?test[object_types]=0 return the expected result?
The parameter doesn't seem to be interpretated when using &test[object_type] instead of &test[object_types] and the target ressource / seems to have insufficient rights, same for the error-pages...

Heroku: Python Flask app - automatically redirecting from https to http

I'm writing an app for Facebook, which needs to be secure. The initial page, https://myapp.com, loads perfectly fine.
However when I click a link to https://myapp.com/link, Chrome complains that the app is trying to load from an insecure source. I get the following message in the console:
"[blocked] The page at 'https://www.facebook.com/page/app_###' was loaded over HTTPS, but ran insecure content from 'http://myapp.com/link/': this content should also be loaded over HTTPS."
Now the link is an absolute URL with the https prefix, yet apparently the page is trying to load from the http version.
I visited the domain itself and checked the Network tab in the Chrome console to see what was happening. The following happens:
The GET to https://myapp.com/link is a 301, moved permanently.
This then redirects to http://myapp.com/link
As far as I can tell, there is nothing in my python code to make this happen, so I suspect some feature of Heroku is causing this, but I haven't been able to find anyone else with this problem.
As a side note, I used Flask-SSLify to add a redirect back to the https version. This redirect works, but Chrome still blocks the page because it passes through the insecure version.
I feel so stupid for working this out five minutes after posting the question, but it is a little obscure.
It turns out the problem was that the page I was attempting to reach was "https://myapp.com/link/" with the trailing slash.
"https://myapp.com/link" redirects to "http://myapp.com/link/".
I don't know why the protocol isn't preserved by this redirect, it may be either Flask or Heroku, though I suspect it is Flask. Regardless it seems like a bug.
Hope this winds up helping somebody else.

Error: redirect_uri_mismatch

I've been looking for this answer and the other pages didn't help me.
I'm trying to use the google drive api for php. I am trying to test on my local environment and receive this error.
Error: redirect_uri_mismatch
The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob did not match a registered redirect URI
Request Details
scope=https://www.googleapis.com/auth/drive
response_type=code
redirect_uri=urn:ietf:wg:oauth:2.0:oob
access_type=offline
display=page
prompt=consent
client_id=735129338633-0epug8n80jsg0t50ijn7our4a661nnk6.apps.googleusercontent.com
Here is the page for the api:
The url is in
localhost:8888/Spreadsheets/driver.php
What am I doing wrong?
Looks like the current Google OAuth2 integration requires enabling
Contacts API
Google+ API
from the Google Developers Console for the associated Project. In my log I noticed errors liek 403, Access Not Configured. Please use ....
The redirect URI (where the response is returned to) has to be correct and exactly as you registered in the APIs console, and the error is indicating that you haven't done that or you haven't done it correctly.
To get the redirect URI from console:
Go to the console for your project and look under API Access.
Open Credentials section (in left side)
You should see your client ID & secret there, along with there is a
list of redirect URIs. If you want to change it or it was wrong,
click edit settings and modify.
Even if your redirect uri is properly set in the console, a lot of times, when you've recently changed settings in the google dev console, it will still tell you there's a redirect mismatch. It's a surprisingly common occurrence.
You can try...
Waiting; some have had luck with this, indicating that google takes some amount of time to register recent changes.
If you don't mind reconfiguring your app, creating a new client id in the google dev console tends to fix this problem with consistent results.