Ending URL Query String with Equals Symbol can cause HTTP 403 Forbidden

Posted by & filed under .

Recently, I ran into a strange issue with phpBB 3+. The product installed, everything seemed to be working yet, whenever a user would try to look up another user whilst trying to send a private message (trying to click the “Find A Member” button), the hosting platform would throw a 403 Forbidden error.

ucp-private-message-find-member

forbidden

I soon discovered that if I removed the trailing parameter with no definition, the query was accepted by the server. I also found that if simply added an ampersand to the end of the string, the query was also accepted.

Interestingly, I had the mod_security logs checked – no hits. Checked file permissions, etc all the usual suspects – nothing.

I finally resorted to opening up the source file under includes/ucp/ucp_pm_compose.php and found that the underlying string triggering the issue. In the version I was using, it was around the line 131 mark:

 'U_FIND_USERNAME' => append_sid("{$phpbb_root_path}memberlist.$phpEx", "mode=searchuser&form=postform&field=username_list&select_single=$select_single"),
));

The string itself seems fairly harmless – however; the final parameter was attempting to retrieve the value stored in $select_single – which depending on the board setting should be either true or false somewhere throughout the configuration items within phpBB.

In the case of true, an expected result is 1 (or anything other than 0 for that matter). What I found is that earlier in the code, the authors have specified the following:

 $select_single = ($config['allow_mass_pm'] && $auth->acl_get('u_masspm')) ? false : true;

You might look at that and say, yeah – that’s fine – it’s handing down a true or false.. The problem here is that in PHP, if you were to echo true, you’d see the number 1 echoed to screen – if you were to attempt to echo false you would see nothing at all.

I think most hosting environments would probably not care about a query parameter that has no actual value assigned, but I happened to be hosting with a strict provider that rejects / blocks / forbids a query parameter with no value as the last parameter.

As I didn’t have time to fully evaluate the implications of modifying $select_single directly, to fix the issue, I simply added in a dodgy fix before the $template->assign_vars(array( section to force the query to output a 0 to U_FIND_USERNAME if the value was false:

  if ($select_single==false) { $bug_select_single = '0'; } else {$bug_select_single = '1'; }

I then modified the U_FIND_USERNAME line to read:

'U_FIND_USERNAME' => append_sid("{$phpbb_root_path}memberlist.$phpEx", "mode=searchuser&form=postform&field=username_list&select_single=$bug_select_single"),

This issue will only affect a phpBB system where:

1. The Host is strictly checking URLs that end with an equals symbol (=) (ie; a query variable with no value at the end of a URL)

2. Private message Settings in PHP has “Allow sending of private messages to multiple users and groups” set to yes.

It’s a fairly obscure problem, I didn’t see anything out there on this issue and it seems to still be an issue right up to the February 1, 2015 release of PHP 3.1.3.

I hope that helps someone out there that might be having a similar problem.

Leave a Reply

Your email address will not be published. Required fields are marked *