Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

vicster

Advanced Search - 403 Forbidden error

21 posts in this topic

I've never seen this before...LOL

 

When you go to advanced search and type in whatever, and check the box to include the description (and then hit 'search'), you are taken to an HTTP 403 Forbidden error page which says 'This site requires you to log in.'

 

Any ideas where this might be coming from?

 

(I'm so glad I'm finding these things before I go live...LOL)

Share this post


Link to post
Share on other sites

Anyone? I believe it may be from the anti-XSS contribution I added for security, but I'm not sure. Here's a snippet from my htaccess file:

 

# anti xss script 1 - pci compliance - by pixclinic
Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

If it is the htaccess file preventing people from doing an advanced search, is there any way around it?

 

Thanks!

Share this post


Link to post
Share on other sites

Or give your URL so someone can actually see what's going on.

 

I realize there are pro's and con's to posting store URL's (especially if it's a work in progress), but on the other hand "a link can be worth a thousand words" (to butcher a common phrase).

 

Posting your URL normally (like www.yoursite.com) can result in your posts here showing up when people search for your site.

 

If you phrase it like y o u r s i t e DOT c o m posts here probably won't normally appear on search engine searches for your site.

 

Just my two cents.

Share this post


Link to post
Share on other sites

Thanks for taking a look, Jim!

 

its okay to sh o w of f DOT com (without the spaces, of course :) )

 

Try searching for a 'red labret' in advanced search with the 'include description' checked.

Share this post


Link to post
Share on other sites

I'm not the sharpest tool in the shed, Ma'am, but I can't find a link to the osC part of the site anywhere.

:blush:

 

If you want you can PM it to me.

 

Or maybe I'm just blind as a bat....

:blink:

Share this post


Link to post
Share on other sites

When i do that, it says:

 

 

 HTTP 404  
  Most likely causes:
There might be a typing error in the address. 
If you clicked on a link, it may be out of date. 

  What you can try: 
 Retype the address.  

 Go back to the previous page. 

 Go to  and look for the information you want.  

 More information

 

s h o w o f f DOT c o m SLASH c a t a l o g

Share this post


Link to post
Share on other sites

Can you just PM me a link that works for you?

:unsure:

 

That aint workin' for me neither...

:blush:

Share this post


Link to post
Share on other sites

Stupid should hurt.

 

If so, I'd be in a lot of pain right about now...

:lol:

Share this post


Link to post
Share on other sites

Believe it or not, I was under the impression the "itsoakay" was a reassurance.

 

*COUGH* *COUGH*

:o

 

Anyway, enough of my stupidity...

:blush:

 

I think one of your anti hacking measures is the culprit.

 

A URL like this:

 

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret

Works fine.

 

This:

 

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret&search_in_description=1&categories_id=&inc_subcat=1&manufacturers_id=&pfrom=&pto=&dfrom=&dto=&x=89&y=15

Or even:

 

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret&search_in_description=1

Yields the error.

 

I've compared the longer URL's to what works on my site and I don't see anything malformed in the URL.

 

I'm baffled.

(As if that's difficult... :blush: )

Share this post


Link to post
Share on other sites

You crack me up! :)

 

Well, I'm baffled, too. I'm really hoping that someone familiar with those two contributions will see this post. (I'm really kicking myself for not posting this in the Contributions forum first). I think I'm going to start with removing the .htaccess file and seeing what happens, though I won't know what to change or what to do to it to get my adv. search working again if it is, in fact, the culprit.

 

I do appreciate your looking at it, though.

 

BTW - I wanted to ask you if my site took a long time to load (I use a ton of jpg files) or if you experienced anything that was a nuisance. You can be honest. And, of course, if you're busy you don't have to answer. :)

Share this post


Link to post
Share on other sites

Well, this thread wasn't a total bust... You got a good laugh out of it (I think)!

:lol:

 

I'm not familiar enough with the anti-hacking (or .htaccess files in general) to be much use.

 

As for load time, I have what they call "economy cable" (which is supposed to be like 21 times faster than dial-up) and your site loads fast enough that if I blink I miss it (the load time, that is).

;)

Share this post


Link to post
Share on other sites

Thanks for letting me know about the load time!

 

Just in case someone comes along that knows .htaccess stuff, here's 'Part Two' of the .htaccess file (I should have posted this along with the first part):

 

# extra anti uri and xss attack script 2 - sql injection prevention
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (java script:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]

 

I will try removing the .htaccess file next, and then try to single out what part is messing with advanced search if removing it helps...

Share this post


Link to post
Share on other sites

Well, here's the jist. If I remove 'Part one' of the htaccess file, then advanced search works just fine. When that part of the htaccess is there, advanced search will only work as long as you do not check the box to include the description...which defeats the purpose.

 

Any suggestions on what I can do to that 'Part one' (the first code box I posted) to allow my advanced search to work would be greatly appreciated!

Share this post


Link to post
Share on other sites

This line:

 

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

I think it's the "bad boy".

 

Change it to this:

 

# RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

BACKUP BEFORE EDITING.

 

Basically this renders that one line ineffective.

 

Does that fix the problem?

:unsure:

Share this post


Link to post
Share on other sites

Yes, that seems to have worked. You know more than you thought! :) I guess it didn't like the '&'? Just guessing...

Share this post


Link to post
Share on other sites

My hunch is because:

 

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret&search_in_de[color="#FF0000"]script[/color]ion=1

And this:

 

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Tells it to error out with anything with "script" in it.

Share this post


Link to post
Share on other sites

...search_in_description=1

 

You've gotta be kidding me! Why do I seem to be the only one having this problem? LOL!

 

I searched this forum as best I could before posting and didn't find anyone else having this problem. I hope it's not because they 'just don't know it'.

 

Thank you so much for figuring it out! I hope that commenting that out doesn't leave me open...but I think that SecurityPro will catch anyone trying anything.

 

Kudos!

Share this post


Link to post
Share on other sites