Home General Ending URL Query String with Equals Symbol can cause HTTP 403 Forbidden

Ending URL Query String with Equals Symbol can cause HTTP 403 Forbidden

Ending URL Query String with Equals Symbol can cause HTTP 403 Forbidden

Recently, I ran into a strange issue with phpBB 3+. The product installed, everything seemed to be working yet, whenever a user would try to look up another user whilst trying to send a private message (trying to click the “Find A Member” button), the hosting platform would throw a 403 Forbidden error.



I soon discovered that if I removed the trailing parameter with no definition, the query was accepted by the server. I also found that if simply added an ampersand to the end of the string, the query was also accepted.

Interestingly, I had the mod_security logs checked – no hits. Checked file permissions, etc all the usual suspects – nothing.

I finally resorted to opening up the source file under includes/ucp/ucp_pm_compose.php and found that the underlying string triggering the issue. In the version I was using, it was around the line 131 mark:

 'U_FIND_USERNAME' => append_sid("{$phpbb_root_path}memberlist.$phpEx", "mode=searchuser&form=postform&field=username_list&select_single=$select_single"),

The string itself seems fairly harmless – however; the final parameter was attempting to retrieve the value stored in $select_single – which depending on the board setting should be either true or false somewhere throughout the configuration items within phpBB.

In the case of true, an expected result is 1 (or anything other than 0 for that matter). What I found is that earlier in the code, the authors have specified the following:

 $select_single = ($config['allow_mass_pm'] && $auth->acl_get('u_masspm')) ? false : true;

You might look at that and say, yeah – that’s fine – it’s handing down a true or false.. The problem here is that in PHP, if you were to echo true, you’d see the number 1 echoed to screen – if you were to attempt to echo false you would see nothing at all.

I think most hosting environments would probably not care about a query parameter that has no actual value assigned, but I happened to be hosting with a strict provider that rejects / blocks / forbids a query parameter with no value as the last parameter.

As I didn’t have time to fully evaluate the implications of modifying $select_single directly, to fix the issue, I simply added in a dodgy fix before the $template->assign_vars(array( section to force the query to output a 0 to U_FIND_USERNAME if the value was false:

  if ($select_single==false) { $bug_select_single = '0'; } else {$bug_select_single = '1'; }

I then modified the U_FIND_USERNAME line to read:

'U_FIND_USERNAME' => append_sid("{$phpbb_root_path}memberlist.$phpEx", "mode=searchuser&form=postform&field=username_list&select_single=$bug_select_single"),

This issue will only affect a phpBB system where:

1. The Host is strictly checking URLs that end with an equals symbol (=) (ie; a query variable with no value at the end of a URL)

2. Private message Settings in PHP has “Allow sending of private messages to multiple users and groups” set to yes.

It’s a fairly obscure problem, I didn’t see anything out there on this issue and it seems to still be an issue right up to the February 1, 2015 release of PHP 3.1.3.

I hope that helps someone out there that might be having a similar problem.


Please enter your comment!
Please enter your name here