After several conversations with my hosting provider the .htaccess fix is the only one I can implement. I am actually lucky that they allow me to turn mod security off in the .htaccess file. I am attaching a snippet of one of the rules that can flag a HTTP request as being forbidden.
"(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)"

For What Its Worth - if you name your curl files start.crl and manifest.mcrl and set the appropriate mime types you can avoid this issue. In my case I am going to try to implement a directory structure that allows the Curl files to live in one tree on the web server that has mod_security turned off and any data interactions with the server in a separate directory tree with it turned on. I haven't played with Curl for long enough that I may be setting myself up for some problems. IE:

www.example.com/Curl/MyProg/start.curl

www.example.com/Data/MyProg/access.php

Then put an .htaccess in the Curl Directory that allows curl filed to be served and let the Data directory keep the default settings to protect any poorly written php scripts.

Bob

-------- Original Message --------
From:   - Fri Sep 22 10:15:12 2006
X-Mozilla-Status:       0001
X-Mozilla-Status2:      00800000
Message-ID:     <[EMAIL PROTECTED]>
Date:   Fri, 22 Sep 2006 10:15:11 -0400
From:   Bob Marriott <[EMAIL PROTECTED]>
User-Agent:     Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version:   1.0
To:     curlbreaker-l@curl.com
Subject:        403 Forbidden for my start.curl file
Content-Type:   text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding:      7bit


Hi Curler's

I had an issue with getting a Curl applet to run from my hosting site. I would get a 403 Forbidden - you don't have permission error. I had set up the mime types and if I put the same file up as a start.txt I can see it fine. After some investigation I found that Mod_security is often configured to disallow the other cURL (client Uniform Resource Locater http://curl.haxx.se/) from being exploited. I have temporarily worked around the issue by adding:

SecFilterEngine Off
SecFilterScanPOST Off

To the subdirectory that holds curl stuff. I hope to figure out more specific rules that protect against the other cURL exploits but allow "our" Curl to run. More to follow.


Bob



Reply via email to