Why doesn't this url work?


#1

For some reason, this URL doesn’t work when my site is hosted at DreamHost: http://www.atastandstill.com/gallery.php?uname=% 7C+HD+% 7C

This URL works fine when I’m running the site off my home computer.

I checked the error logs, and I get the following error:

[Mon Jan 15 14:50:51 2007] [error] [client 76.21.33.162] mod_security: Access denied with code 503. Pattern match “\\|+.[\\x20].[\\x20].*\\|” at THE_REQUEST [severity “E
MERGENCY”] [hostname “www.atastandstill.com”] [uri “/gallery.php?uname=% 7C+HD+% 7C”]

Anyone know how to allow the url above to work successfully? I see no reason why it should be blocked. (note: I put a space between the “%” and “7C” in the urls to allow it to display how I type the url in the browser–just remove the space to get the actual url I visited).


#2

The Dreamhost rules for mod_security don’t like the url. Unfortunately, DH does not publish (ostensibly for security reasons - security by obscurity?) their exact rules, so I can’t say precisely what about the url “breaks” under mod_security :frowning: .

That said, the easiest fix is to just run your domain without mod_security. You can do this from the control panel–>manage domains–> screen by selecting the “edit” link next to the domain name.

On the screen that results, de-select the “radio button” for “Extra Web Security” (which is what DH calls mod_security), save the form, and wait for the update to take effect (usally 10-20 minutes, though it could be longer or shorter).

–rlparker


#3

The ASCII character for that encoding is the pipe ("|") character. mod_security is probably rejecting it because of the threat of things like SQL injection. There is no logical reason for having such characters in a URL anyway.


Simon’s website
Save $100 on 1-year plans with promo code [color=#CC0000]SCJESSEY100[/color] (details)


#4

Thanks for the suggestion. I took off “Extra Web Security”, and now when I try to access “http://www.atastandstill.com/gallery.php?uname=% 7C+HD+% 7C” I get the following error:

Site Temporarily Unavailable
We apologize for the inconvenience. Please contact the webmaster/ tech support immediately to have them rectify this.
error id: “bad_httpd_conf”

Any ideas? I couldn’t find anything in access.log or error.log regarding this.


#5

That sounds like there was a “burp” in re-writing the Apache Configuration file after the change in settings. It happens, on occasion. You can often correct it yourself, as detailed in this wiki article on Bad_httpdconf, or you can contact Support for them to straighten it out.

–rlparker