Forum

Hi,

I have a simple html form, inside it there is a textarea tag and if I it contains CRLF bytes (I press Enter while typing into textarea) and I submit it, I get a 403 response. If it does NOT contain CRLF, it is successfully posted and PHP processes it smoothly. The 403 response is presented no matter of used submit method (GET or POST).

How can I allow posting of CRLF characters? I wouldn't to resort to mangle the content of textarea using JavaScript.

Thank you for response.

Hiawatha version: v9.5
Operating System: CentOS 6.5

What does the error logfile say? Or the system or exploit logfile?

Hugo,

The logs are empty, except the system.log, but it also does not contain anything interesting imho.

root@aps:/l/hiawatha # l -tr
total 40
-rw-r----- 1 65534 65534 0 14-05-02 16:10:33 garbage.log
-rw-r----- 1 65534 65534 0 14-05-02 16:10:33 exploit.log
-rw-r----- 1 65534 65534 0 14-05-02 16:10:33 error.log
-rw-r----- 1 65534 65534 335 14-05-05 04:16:11 system.log
-rw-r----- 1 65534 65534 284 14-05-11 03:27:02 access.log-20140504.gz
-rw-r----- 1 65534 65534 261 14-05-18 03:47:02 access.log-20140511.gz
-rw-r----- 1 apache apache 20 14-05-25 06:46:01 access.log-20140518.gz
-rw-r----- 1 apache apache 20 14-06-01 12:49:26 access.log-20140525.gz
-rw-r----- 1 apache apache 20 14-06-08 03:37:01 access.log-20140601.gz
-rw-r----- 1 apache apache 20 14-06-15 03:26:03 access.log-20140608.gz
-rw-r----- 1 apache apache 20 14-06-22 03:33:03 access.log-20140615.gz
-rw-r----- 1 apache apache 0 14-06-29 04:25:01 access.log-20140706
-rw-r----- 1 apache apache 20 14-06-29 04:25:01 access.log-20140622.gz
-rw-r----- 1 apache apache 20 14-07-06 09:48:41 access.log-20140629.gz
-rw-r----- 1 apache apache 0 14-07-06 09:48:41 access.log

root@aps:/l/hiawatha # cat system.log
Fri 02 May 2014 16:10:33 +0200|Hiawatha v9.5 started
127.0.0.1|Fri 02 May 2014 16:23:20 +0200|Client kicked
Fri 02 May 2014 16:23:20 +0200|Hiawatha v9.5 stopped
Fri 02 May 2014 16:23:21 +0200|Hiawatha v9.5 started
127.0.0.1|Sat 03 May 2014 03:26:39 +0200|Silent client disconnected
Mon 05 May 2014 04:16:11 +0200|Hiawatha v9.5 stopped

The only difference between a successful and a rejected url is the presence of "%0D%0A" in it. This is fordidden (responded 403):

http://localhost/jobs.php?active=true&title=QUALITY+ASSURANCE+MANAGER&employer=&tags=db+mssql&notes=line1%0D%0Aline2&rating=-30&editSubmit=851580539

While if I manually replace the part "%0D%0A" by a plus sign, it suceeds and the file jobs.php is loaded and processed by PHP.

My config file contains this (only non-comment lines):

root@aps:/l/hiawatha # grep '^[^#]' /etc/hiawatha/hiawatha.conf

ServerId = www:www
ConnectionsTotal = 250
ConnectionsPerIP = 25
SystemLogfile = /l/hiawatha/system.log
GarbageLogfile = /l/hiawatha/garbage.log
Binding {
    Port = 80
}
FastCGIserver {
    FastCGIid = PHP5
    ConnectTo = 127.0.0.1:9000
    Extension = php
    SessionTimeout = 900
    }
Hostname = 127.0.0.1
UseFastCGI = PHP5
WebsiteRoot = /www
StartFile = phpinfo.php
AccessLogfile = /l/hiawatha/access.log
ErrorLogfile = /l/hiawatha/error.log

Very basic config imho.

Try adding "SecureURL = no" to your configuration.

Woah !

Hugo, it works !

Thank you very much for your assistance and have a nice day.