HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Embed forum displaying forbidden error

zabeanzabean New
edited November 2010 in Vanilla 2.0 - 2.8
When I try to access my page with a remote vanilla embed I see the following (where the embed should be, not the entire page):

Forbidden

You don't have permission to access /lazy/lazyhtml/forum on this server.

When this error occurs the URL of the embed is:
http://www.mydomain.com/lazy/lazyhtml/forum/?remote=http://www.mydomain.com/lazy/lazyhtml/forum.php

When visiting that directly, I also recieve the Forbidden message, but forum/ is accessible without an error, and forum/?remote= is accessible, but it becomes inaccessible when the I have as much as forum/?remote=http%3A%2F%2Fwww.mydomain

As soon as there is that much text in the remote argument I receive the forbidden error, and of course what is generated by embed code embeds the full url: http://www.mydomain.com/lazy/lazyhtml/forum/?remote=http://www.mydomain.com/lazy/lazyhtml/forum.php

Can't seem to figure this out. It's on a fresh install of the latest vanilla, with the embed plugin enabled, and my embed code is
<script type="text/javascript" src="forum/plugins/embedvanilla/remote.js"></script>

All Browsers
PHP:
5.2.4
MySQL
5.1.50

Comments

  • This has been solved. The issue lies in mod security's 10_asl_rules.conf blocking url's being passed through as parameters, probably to prevent hacking attempts.
Sign In or Register to comment.