Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Redirect when quote character: " is present in URL

Discussion in 'General Discussion' started by pwells, Sep 2, 2016.

Tags:
  1. pwells

    pwells Member

    Joined:
    Apr 28, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I have set two new servers within the last week, running CloudLinux and WHM. One of these servers is experiencing a strange issue when a quote character is present in the URL.

    The issue is that the URL appears to be redirecting to the root domain whenever a quote character (either urlencoded to: %22 or standard as: ") is present in the URL. This applies for all websites on the server but not the WHM or cPanel interface. Strangely this does not occur on the other server that I set up at the same time, with the exact same settings (it's even in the same configuration cluster).

    As a test, please visit the following URL: dev.example.net.au/test.html
    Now try with the following URL parameter: dev.example.net.au/test.html?test=%22

    For reference, our other server handles this fine: dev.domain.net.au/test.html?test=%22

    Anybody have any ideas what setting may be causing this behaviour?

    Thanks in advance.
     
    #1 pwells, Sep 2, 2016
    Last edited by a moderator: Sep 2, 2016
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,937
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I'm unable to reproduce this issue when browsing to the following URL (with and without encoding) in a web browser:

    Code:
    "http://www.example.tld/%22testing%22.php"
    Do you have additional rewrite rules active in the .htaccess file?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. pwells

    pwells Member

    Joined:
    Apr 28, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    It appears that the forum has replaced my URLs with example.net.au making it very difficult to demo this issue.
    Please advise how I can send a real URL through the forum without it being stripped out.


    It is not likely a .htaccess issue as it affects every site and account on the server - not just one account.
     
  4. pwells

    pwells Member

    Joined:
    Apr 28, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I have also discovered that this issue occurs with other URL encoded characters. For example, a WordPress website on the server which calls the below URL with ajax, 302 redirects to http://dev.example.net.au/, causing the ajax call to fail.

    Code:
    http://dev.example.net.au/acco/wp-admin/admin-ajax.php?action=linktest&url=http%3A%2F%2Fwww.example.com.au%2FIndex.aspx
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,518
    Likes Received:
    425
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The actual URL should not be required.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,937
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. pwells

    pwells Member

    Joined:
    Apr 28, 2015
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    We were able to resolve this issue yesterday afternoon.

    The ModSecurity system was causing this redirect; specifically the 'Application Attack SQLi' rule set in the OWASP core library.

    This was triggering the following error message in the Apache error logs:
    Code:
    [Tue Sep 06 16:20:31.013126 2016] [:error] [pid 329447] [client ***.***.***.***] ModSecurity: Access denied with redirection to http://dev.example.net.au/ using status 302 (phase 2). Pattern match "(?i:(?:[\\"'`]\\\\s*?(x?or|div|like|between|and)\\\\s*?[\\"'`]?\\\\d)|(?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`]$)|(?:(?:^[\\"'`\\\\\\\\]*?(?:[\\\\d\\"'`]+|[^\\"'`]+[\\"'`]))+\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s*?[\\\\w\\"'`][+&!@(),.-])|(?:[^\\\\w\\\\s]\\\\w+ ..." at ARGS:test. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "108"] [id "981242"] [rev "2"] [msg "Detects classic SQL injection probings 1/2"] [data "Matched Data: \\x22 found within ARGS:test: \\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: dev.example.net.au"] [tag "application-multi"] [tag "language-mutli"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "dev.example.net.au"] [uri "/test.html"] [unique_id "V85gL9fy4L1UJMBVzAFsVgAAACA"]
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,937
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice