Forum

I recently decided to move a server over to Hiawatha. The owner runs a torrent site, and when I was able to get the site running, I've been noticing logs that the announce.php file is getting 403 - Forbidden from the torrent clients. The error logs are also flodding with -0300|URL contains forbidden characters

This is the config for the Vurtual Host:

VirtualHost {
   Hostname = tracker.net
   WebsiteRoot = /home/usertrack
   StartFile = index.php
   AccessLogfile = /home/usertrack/sitelogged/access.log
   ErrorLogfile = /home/usertrack/sitelogged/error.log
#   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   # if ownCloud or alike is installed, otherwise, it should be "no"
#   WebDAVapp = yes
   # <script .. </script>
   # e.g. <script>alert("xss");</script>
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
   DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
   # <meta .. />
   # e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/>
   DenyBody = ^.*%3Cmeta.*%2F%3E.*$
   DenyBody = ^.*%3CMETA.*%2F%3E.*$
   DenyBody = ^.*%3CMeTa.*%2F%3E.*$
   DenyBody = ^.*%3CmEtA.*%2F%3E.*$
   # <iframe .. />
   DenyBody = ^.*%3Ciframe.*%2F%3E.*$
   DenyBody = ^.*%3CIFRAME.*%2F%3E.*$
   # Null Byte
   DenyBody = ^.*%00.*$
#   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   ExecuteCGI = yes
   PreventXSS = yes
#   WrapCGI = jail_mysite
}

This is the server Config - I took out a few lines so you won't have have an entire page filled with the config and only left the ones I am using... The user is in /home/usertrack and I have the permissions set to root (May not be the best secure way if its in a /home folder, but this was where I had the files when we ran Apache, and I already had trouble getting them to get past the forbidden error, but I am noticing the forbidden errors for announce.php for torrent clients. Is there anything I should try differently?

ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper
CacheSize = 300
CacheMaxFilesize = 656
# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
	Port = 80
#	Interface = 127.0.0.1
	MaxKeepAlive = 30
	TimeForRequest = 3,20
MaxRequestSize = 9000
MaxUploadSize = 260
}

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
#KickOnBan = yes
#RebanDuringBan = yes


# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php-cgi:php


# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
I left this like the default...


Include /etc/hiawatha/enable-sites

Hiawatha version: 9.9
Operating System: Ubuntu 14.4

The DenyBody does a case insensitive pattern matching, so you can remove all the upper-/lowercase variants.

What kind of URLs are we talking about? If Hiawatha complains about 'forbidden characters' in the URL, it must have contained unusual characters, like the NULL byte or escape character.

Hugo,

Thanks for the DenyBody tips.

The site is a torrent site, and some of the URL's have a lot of characters. Sorry for the late reply.

Try the hidden "SecureURL = no" option to bypass the dangerous-character check in Hiawatha.