All CMS Builder Links suddenly return Error 403 - Forbidden

14 posts by 6 authors in: Forums > CMS Builder
Last Post: June 1, 2012   (RSS)

By Dave - May 14, 2012

Hi Steve,

Thanks for the recommendation! :)

If you still have a copy of that hacked .htaccess and the line wasn't already one that was picked up by the scanner could you email me a copy of it to dave@interactivetools.com?

We're adding more and more patterns and should have an improved release out within a week or two.

Thanks!
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] All CMS Builder Links suddenly return Error 403 - Forbidden

By rconring - May 15, 2012

Good Grief!!! That explains a problem I have been fighting along with a site exploit for the past few days. My problem was similar, but somewhat different in that it only affected links where the ? was followed with a hyphen ... eg: "?-". The remaining hyphens in the query caused no problem as long as it was not the first character in the query. I had to modify a ton of code to rectify this. Good to know it wasn't something I did. LOL
Ron Conring
Conring Automation Services
----------------------------------------
Software for Business and Industry Since 1987

Re: [rconring] All CMS Builder Links suddenly return Error 403 - Forbidden

By Steve99 - May 16, 2012

Yes, it definitely sheds some light on that!

In response to you identifying that PHP page links followed by "?-"... Here is one of the exploits... In affected server environments that haven't been patched, when "?-s" is entered in the URL bar following "yourpage.php" it reveals the ENTIRE PHP source code... As part of the patching, hyphens directly following the question mark are being set to be disallowed - thus breaking pages that have URL strings as such.

Hosting companies have been all over this since the info came out and attacks had hit. It's highly recommended to scan all hosting accounts that operate in the affected environment.

Hosting accounts running PHP-CGI have been vulnerable, mostly on "sandboxed" shared accounts that run PHP in this fashion - which was done for running individual instances with all intentions being to make it more secure in said environments...

There is a lot more information available if you research the CVE numbers on the php.net website.

Hope this helps.