FAQ
Hi,

I'm on shared hosting. Because of security concerns on their part
[1], every time the text "curl u" is inputted, a 403 forbidden is
given and the form is not submitted. This is of course a problem as
I'm doing work for a children's literacy program, and plenty of
people try to input "curl up with a book".

I'm trying to use 'str_replace' to solve this issue, but I can't seem
to get around the 403 error.

It appears as if the hosting service doesn't give me a chance to
replace "curl u" with something else prior to them blocking the
attempted submit.

I can tell my str_replace is working as if I change the searched text
to something other than "curl u" it does in fact replace it and
submit it correctly.

Anyone have any ideas for a workaround? My next thought is to use
javascript, but I think the site serves quite a few people who might
not have javascript on.

Thanks for listening. Below is the PHP [2].


best,

Charles


[2]
// Grabbing the data from the form.

if ($task == "updateInfo")
{
$activityChallenges = cs_remove_curl_up(sanitize_paranoid_string
($_POST["activityChallenges"]));
}



// change "curl u" to "EDIT kurl u"

function cs_remove_curl_up($string, $min='', $max='')
{
$string = str_replace("curl u", "EDIT kurl u", $string);
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len >
$max)))
return FALSE;
return $string;
}



[1]
My host told me this:

"Mod_security is restricting this and blocks all url's with C-url.
This is done because of some php worms that are spread using c-url. I
would recommend trying to work around this. It will be a major
security issue for us to allow this."

Search Discussions

  • Rory Browne at Oct 10, 2005 at 10:12 pm
    I'm not completely sure, but I think they're talking shite. If curl is
    a security problem, then disable curl. They seem from what you've
    said, to be pretty irrational. I respect security paranoia, but this
    is ridicules.

    You could try replacing every letter in the word curl with it's &#xxx;
    equivlent, but that might not work. You would also have to do it in
    JS, although I think that any browser with the exception on lynx has
    JS capabilities.
    On 10/10/05, Charles Stuart wrote:
    Hi,

    I'm on shared hosting. Because of security concerns on their part
    [1], every time the text "curl u" is inputted, a 403 forbidden is
    given and the form is not submitted. This is of course a problem as
    I'm doing work for a children's literacy program, and plenty of
    people try to input "curl up with a book".

    I'm trying to use 'str_replace' to solve this issue, but I can't seem
    to get around the 403 error.

    It appears as if the hosting service doesn't give me a chance to
    replace "curl u" with something else prior to them blocking the
    attempted submit.

    I can tell my str_replace is working as if I change the searched text
    to something other than "curl u" it does in fact replace it and
    submit it correctly.

    Anyone have any ideas for a workaround? My next thought is to use
    javascript, but I think the site serves quite a few people who might
    not have javascript on.

    Thanks for listening. Below is the PHP [2].


    best,

    Charles


    [2]
    // Grabbing the data from the form.

    if ($task == "updateInfo")
    {
    $activityChallenges = cs_remove_curl_up(sanitize_paranoid_string
    ($_POST["activityChallenges"]));
    }



    // change "curl u" to "EDIT kurl u"

    function cs_remove_curl_up($string, $min='', $max='')
    {
    $string = str_replace("curl u", "EDIT kurl u", $string);
    $len = strlen($string);
    if((($min != '') && ($len < $min)) || (($max != '') && ($len >
    $max)))
    return FALSE;
    return $string;
    }



    [1]
    My host told me this:

    "Mod_security is restricting this and blocks all url's with C-url.
    This is done because of some php worms that are spread using c-url. I
    would recommend trying to work around this. It will be a major
    security issue for us to allow this."

    --
    PHP General Mailing List (http://www.php.net/)
    To unsubscribe, visit: http://www.php.net/unsub.php
  • Charles Stuart at Oct 10, 2005 at 10:19 pm
    A student run server on my old campus used to turn off PHP for
    security reasons - ridiculous.

    Would it be possible to use XSS to call curl from a remote site? I'm
    just a beginner so that may or not make sense.

    Indeed it does seem like JS is the solution - unfortunately - as it
    seems like their 'trap' catches any string including CURL U before I
    can str_replace the string after gathering the input with _POST.
    Anyone disagree?



    best,

    Charles


    On Oct 10, 2005, at 3:12 PM, Rory Browne wrote:

    I'm not completely sure, but I think they're talking shite. If curl is
    a security problem, then disable curl. They seem from what you've
    said, to be pretty irrational. I respect security paranoia, but this
    is ridicules.

    You could try replacing every letter in the word curl with it's &#xxx;
    equivlent, but that might not work. You would also have to do it in
    JS, although I think that any browser with the exception on lynx has
    JS capabilities.
    On 10/10/05, Charles Stuart wrote:

    Hi,

    I'm on shared hosting. Because of security concerns on their part
    [1], every time the text "curl u" is inputted, a 403 forbidden is
    given and the form is not submitted. This is of course a problem as
    I'm doing work for a children's literacy program, and plenty of
    people try to input "curl up with a book".

    I'm trying to use 'str_replace' to solve this issue, but I can't seem
    to get around the 403 error.

    It appears as if the hosting service doesn't give me a chance to
    replace "curl u" with something else prior to them blocking the
    attempted submit.

    I can tell my str_replace is working as if I change the searched text
    to something other than "curl u" it does in fact replace it and
    submit it correctly.

    Anyone have any ideas for a workaround? My next thought is to use
    javascript, but I think the site serves quite a few people who might
    not have javascript on.

    Thanks for listening. Below is the PHP [2].


    best,

    Charles


    [2]
    // Grabbing the data from the form.

    if ($task == "updateInfo")
    {
    $activityChallenges = cs_remove_curl_up(sanitize_paranoid_string
    ($_POST["activityChallenges"]));
    }



    // change "curl u" to "EDIT kurl u"

    function cs_remove_curl_up($string, $min='', $max='')
    {
    $string = str_replace("curl u", "EDIT kurl u", $string);
    $len = strlen($string);
    if((($min != '') && ($len < $min)) || (($max != '') && ($len >
    $max)))
    return FALSE;
    return $string;
    }



    [1]
    My host told me this:

    "Mod_security is restricting this and blocks all url's with C-url.
    This is done because of some php worms that are spread using c-url. I
    would recommend trying to work around this. It will be a major
    security issue for us to allow this."

    --
    PHP General Mailing List (http://www.php.net/)
    To unsubscribe, visit: http://www.php.net/unsub.php

  • Jochem Maas at Oct 11, 2005 at 1:53 am

    Charles Stuart wrote:
    A student run server on my old campus used to turn off PHP for security
    reasons - ridiculous.

    Would it be possible to use XSS to call curl from a remote site? I'm
    just a beginner so that may or not make sense.
    I'm not really a beginner but I don't know if that makes sense either :-S
    I'm pretty sure the answer is no.
    Indeed it does seem like JS is the solution - unfortunately - as it
    workaround, not solution. a new host would be a solution,
    one that means you don't have to waste time coding around completely
    crazy setups.
    seems like their 'trap' catches any string including CURL U before I
    seems like a total bogus filter. exactly what makes 'CURL U' so evil when
    passed to a php/cgi script anyway?
    can str_replace the string after gathering the input with _POST. Anyone
    disagree?
    well you could check out something like:

    <?
    $putdata = fopen( "php://input" , "rb" );
    while(!feof( $putdata ))
    echo fread($putdata, 4096 );
    fclose($putdata);
    ?>

    or

    <?
    echo file_get_contents('php://input');
    ?>

    or

    <?
    echo $HTTP_RAW_POST_DATA;
    ?>



    best,

    Charles


    On Oct 10, 2005, at 3:12 PM, Rory Browne wrote:

    I'm not completely sure, but I think they're talking shite. If curl is
    I think I can smell it here too.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-general @
categoriesphp
postedOct 10, '05 at 8:42p
activeOct 11, '05 at 1:53a
posts4
users3
websitephp.net

People

Translate

site design / logo © 2022 Grokbase