Skip to content

ModSecurityIIS: PHP Injection Attack (958976) protection does not work #494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rcbarnett-zz opened this issue Oct 17, 2013 · 3 comments
Closed

ModSecurityIIS: PHP Injection Attack (958976) protection does not work #494

rcbarnett-zz opened this issue Oct 17, 2013 · 3 comments
Assignees
@zimmerle

Comments

@rcbarnett-zz
Copy link
Contributor

MODSEC-346: ModSecurity rule set:
#
# PHP injection
#

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \
        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'959151',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"

WCAT Scenario:
transaction
{
id = "PHP Injection Attack (958976) 1";
weight = 100;

    request
    {
        setheader
        {
            name    = "Content-Length";
            value   = "1127";
        }
        url = "/default.aspx";
        statuscode= 403;
        port = 8080;
        verb = POST;
        postdata = "body=%20%20if%20(!function_exists(%22fs_copy_dir%22))%20%7B%0A%20%20%20%20function%20fs_copy_dir(%24d%2C%24t)%20%7B%0A%20%20%20%20%20%20%24d%20%3D%20str_replace(%22%5C%5C%22%2CDIRECTORY_SEPARATOR%2C%24d)%3B%0A%20%20%20%20%20%20if%20(substr(%24d%2C-1)%20!%3D%20DIRECTORY_SEPARATOR)%20%7B%24d%20.%3D%20DIRECTORY_SEPARATOR%3B%7D%0A%20%20%20%20%20%20%24h%20%3D%20opendir(%24d)%3B%0A%20%20%20%20%20%20while%20((%24o%20%3D%20readdir(%24h))%20!%3D%3D%20FALSE)%20%7B%0A%20%20%20%20%20%20%20%20if%20((%24o%20!%3D%20%22.%22)%20and%20(%24o%20!%3D%20%22..%22))%20%7B%0A%20%20%20%20%20%20%20%20%20%20if%20(!is_dir(%24d.DIRECTORY_SEPARATOR.%24o))%20%7B%24ret%20%3D%20copy(%24d.DIRECTORY_SEPARATOR.%24o%2C%24t.DIRECTORY_SEPARATOR.%24o)%3B%7D%0A%20%20%20%20%20%20%20%20%20%20else%20%7B%24ret%20%3D%20mkdir(%24t.DIRECTORY_SEPARATOR.%24o)%3B%20fs_copy_dir(%24d.DIRECTORY_SEPARATOR.%24o%2C%24t.DIRECTORY_SEPARATOR.%24o)%3B%7D%0A%20%20%20%20%20%20%20%20%20%20if%20(!%24ret)%20%7Breturn%20%24ret%3B%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20closedir(%24h)%3B%0A%20%20%20%20%20%20return%20TRUE%3B%0A%20%20%20%20%7D";
    }
    close
    {
        method      = ka;
    }
}

Web server returns 200 instead of 403.
@rcbarnett-zz
Copy link
Contributor Author

Original reporter: akurmi

@rcbarnett-zz
Copy link
Contributor Author

akurmi: ModSecurity rule set

@rcbarnett-zz
Copy link
Contributor Author

gregw: The reason why these rules return 200 is because they have 'capture' action in them. Change it to 'deny' and everything works.

== Info: About to connect() to 127.0.0.1 port 80 (#0)
== Info: Trying 127.0.0.1...
== Info: connected
== Info: Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
=> Send header, 212 bytes (0xd4)
0000: 50 4f 53 54 20 2f 74 65 73 74 2e 61 73 70 78 20 POST /test.aspx
0010: 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 HTTP/1.1..User-A
0020: 67 65 6e 74 3a 20 63 75 72 6c 2f 37 2e 32 34 2e gent: curl/7.24.
0030: 30 20 28 57 69 6e 64 6f 77 73 29 20 6c 69 62 63 0 (Windows) libc
0040: 75 72 6c 2f 37 2e 32 34 2e 30 20 7a 6c 69 62 2f url/7.24.0 zlib/
0050: 31 2e 32 2e 37 0d 0a 48 6f 73 74 3a 20 31 32 37 1.2.7..Host: 127
0060: 2e 30 2e 30 2e 31 0d 0a 41 63 63 65 70 74 3a 20 .0.0.1..Accept:
0070: 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e /..Content-Len
0080: 67 74 68 3a 20 31 31 32 37 0d 0a 43 6f 6e 74 65 gth: 1127..Conte
0090: 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 nt-Type: applica
00a0: 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d tion/x-www-form-
00b0: 75 72 6c 65 6e 63 6f 64 65 64 0d 0a 45 78 70 65 urlencoded..Expe
00c0: 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 ct: 100-continue
00d0: 0d 0a 0d 0a ....
<= Recv header, 23 bytes (0x17)
0000: 48 54 54 50 2f 31 2e 31 20 31 30 30 20 43 6f 6e HTTP/1.1 100 Con
0010: 74 69 6e 75 65 0d 0a tinue..
=> Send data, 1127 bytes (0x467)
0000: 62 6f 64 79 3d 25 32 30 25 32 30 69 66 25 32 30 body=%20%20if%20
0010: 28 21 66 75 6e 63 74 69 6f 6e 5f 65 78 69 73 74 (!function_exist
0020: 73 28 25 32 32 66 73 5f 63 6f 70 79 5f 64 69 72 s(%22fs_copy_dir
0030: 25 32 32 29 29 25 32 30 25 37 42 25 30 41 25 32 %22))%20%7B%0A%2
0040: 30 25 32 30 25 32 30 25 32 30 66 75 6e 63 74 69 0%20%20%20functi
0050: 6f 6e 25 32 30 66 73 5f 63 6f 70 79 5f 64 69 72 on%20fs_copy_dir
0060: 28 25 32 34 64 25 32 43 25 32 34 74 29 25 32 30 (%24d%2C%24t)%20
0070: 25 37 42 25 30 41 25 32 30 25 32 30 25 32 30 25 %7B%0A%20%20%20%
0080: 32 30 25 32 30 25 32 30 25 32 34 64 25 32 30 25 20%20%20%24d%20%
0090: 33 44 25 32 30 73 74 72 5f 72 65 70 6c 61 63 65 3D%20str_replace
00a0: 28 25 32 32 25 35 43 25 35 43 25 32 32 25 32 43 (%22%5C%5C%22%2C
00b0: 44 49 52 45 43 54 4f 52 59 5f 53 45 50 41 52 41 DIRECTORY_SEPARA
00c0: 54 4f 52 25 32 43 25 32 34 64 29 25 33 42 25 30 TOR%2C%24d)%3B%0
00d0: 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 A%20%20%20%20%20
00e0: 25 32 30 69 66 25 32 30 28 73 75 62 73 74 72 28 %20if%20(substr(
00f0: 25 32 34 64 25 32 43 2d 31 29 25 32 30 21 25 33 %24d%2C-1)%20!%3
0100: 44 25 32 30 44 49 52 45 43 54 4f 52 59 5f 53 45 D%20DIRECTORY_SE
0110: 50 41 52 41 54 4f 52 29 25 32 30 25 37 42 25 32 PARATOR)%20%7B%2
0120: 34 64 25 32 30 2e 25 33 44 25 32 30 44 49 52 45 4d%20.%3D%20DIRE
0130: 43 54 4f 52 59 5f 53 45 50 41 52 41 54 4f 52 25 CTORY_SEPARATOR%
0140: 33 42 25 37 44 25 30 41 25 32 30 25 32 30 25 32 3B%7D%0A%20%20%2
0150: 30 25 32 30 25 32 30 25 32 30 25 32 34 68 25 32 0%20%20%20%24h%2
0160: 30 25 33 44 25 32 30 6f 70 65 6e 64 69 72 28 25 0%3D%20opendir(%
0170: 32 34 64 29 25 33 42 25 30 41 25 32 30 25 32 30 24d)%3B%0A%20%20
0180: 25 32 30 25 32 30 25 32 30 25 32 30 77 68 69 6c %20%20%20%20whil
0190: 65 25 32 30 28 28 25 32 34 6f 25 32 30 25 33 44 e%20((%24o%20%3D
01a0: 25 32 30 72 65 61 64 64 69 72 28 25 32 34 68 29 %20readdir(%24h)
01b0: 29 25 32 30 21 25 33 44 25 33 44 25 32 30 46 41 )%20!%3D%3D%20FA
01c0: 4c 53 45 29 25 32 30 25 37 42 25 30 41 25 32 30 LSE)%20%7B%0A%20
01d0: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20%
01e0: 32 30 25 32 30 69 66 25 32 30 28 28 25 32 34 6f 20%20if%20((%24o
01f0: 25 32 30 21 25 33 44 25 32 30 25 32 32 2e 25 32 %20!%3D%20%22.%2
0200: 32 29 25 32 30 61 6e 64 25 32 30 28 25 32 34 6f 2)%20and%20(%24o
0210: 25 32 30 21 25 33 44 25 32 30 25 32 32 2e 2e 25 %20!%3D%20%22..%
0220: 32 32 29 29 25 32 30 25 37 42 25 30 41 25 32 30 22))%20%7B%0A%20
0230: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20%
0240: 32 30 25 32 30 25 32 30 25 32 30 69 66 25 32 30 20%20%20%20if%20
0250: 28 21 69 73 5f 64 69 72 28 25 32 34 64 2e 44 49 (!is_dir(%24d.DI
0260: 52 45 43 54 4f 52 59 5f 53 45 50 41 52 41 54 4f RECTORY_SEPARATO
0270: 52 2e 25 32 34 6f 29 29 25 32 30 25 37 42 25 32 R.%24o))%20%7B%2
0280: 34 72 65 74 25 32 30 25 33 44 25 32 30 63 6f 70 4ret%20%3D%20cop
0290: 79 28 25 32 34 64 2e 44 49 52 45 43 54 4f 52 59 y(%24d.DIRECTORY
02a0: 5f 53 45 50 41 52 41 54 4f 52 2e 25 32 34 6f 25 _SEPARATOR.%24o%
02b0: 32 43 25 32 34 74 2e 44 49 52 45 43 54 4f 52 59 2C%24t.DIRECTORY
02c0: 5f 53 45 50 41 52 41 54 4f 52 2e 25 32 34 6f 29 _SEPARATOR.%24o)
02d0: 25 33 42 25 37 44 25 30 41 25 32 30 25 32 30 25 %3B%7D%0A%20%20%
02e0: 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 20%20%20%20%20%2
02f0: 30 25 32 30 25 32 30 65 6c 73 65 25 32 30 25 37 0%20%20else%20%7
0300: 42 25 32 34 72 65 74 25 32 30 25 33 44 25 32 30 B%24ret%20%3D%20
0310: 6d 6b 64 69 72 28 25 32 34 74 2e 44 49 52 45 43 mkdir(%24t.DIREC
0320: 54 4f 52 59 5f 53 45 50 41 52 41 54 4f 52 2e 25 TORY_SEPARATOR.%
0330: 32 34 6f 29 25 33 42 25 32 30 66 73 5f 63 6f 70 24o)%3B%20fs_cop
0340: 79 5f 64 69 72 28 25 32 34 64 2e 44 49 52 45 43 y_dir(%24d.DIREC
0350: 54 4f 52 59 5f 53 45 50 41 52 41 54 4f 52 2e 25 TORY_SEPARATOR.%
0360: 32 34 6f 25 32 43 25 32 34 74 2e 44 49 52 45 43 24o%2C%24t.DIREC
0370: 54 4f 52 59 5f 53 45 50 41 52 41 54 4f 52 2e 25 TORY_SEPARATOR.%
0380: 32 34 6f 29 25 33 42 25 37 44 25 30 41 25 32 30 24o)%3B%7D%0A%20
0390: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20%
03a0: 32 30 25 32 30 25 32 30 25 32 30 69 66 25 32 30 20%20%20%20if%20
03b0: 28 21 25 32 34 72 65 74 29 25 32 30 25 37 42 72 (!%24ret)%20%7Br
03c0: 65 74 75 72 6e 25 32 30 25 32 34 72 65 74 25 33 eturn%20%24ret%3
03d0: 42 25 37 44 25 30 41 25 32 30 25 32 30 25 32 30 B%7D%0A%20%20%20
03e0: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 %20%20%20%20%20%
03f0: 37 44 25 30 41 25 32 30 25 32 30 25 32 30 25 32 7D%0A%20%20%20%2
0400: 30 25 32 30 25 32 30 25 37 44 25 30 41 25 32 30 0%20%20%7D%0A%20
0410: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 63 %20%20%20%20%20c
0420: 6c 6f 73 65 64 69 72 28 25 32 34 68 29 25 33 42 losedir(%24h)%3B
0430: 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 %0A%20%20%20%20%
0440: 32 30 25 32 30 72 65 74 75 72 6e 25 32 30 54 52 20%20return%20TR
0450: 55 45 25 33 42 25 30 41 25 32 30 25 32 30 25 32 UE%3B%0A%20%20%2
0460: 30 25 32 30 25 37 44 0%20%7D
<= Recv header, 33 bytes (0x21)
0000: 48 54 54 50 2f 31 2e 31 20 34 30 33 20 4d 6f 64 HTTP/1.1 403 Mod
0010: 53 65 63 75 72 69 74 79 20 41 63 74 69 6f 6e 0d Security Action.
0020: 0a .
<= Recv header, 24 bytes (0x18)
0000: 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 Cache-Control: p
0010: 72 69 76 61 74 65 0d 0a rivate..
<= Recv header, 40 bytes (0x28)
0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0010: 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 xt/html; charset
0020: 3d 75 74 66 2d 38 0d 0a =utf-8..
<= Recv header, 27 bytes (0x1b)
0000: 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f 66 Server: Microsof
0010: 74 2d 49 49 53 2f 37 2e 35 0d 0a t-IIS/7.5..
<= Recv header, 23 bytes (0x17)
0000: 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 41 53 X-Powered-By: AS
0010: 50 2e 4e 45 54 0d 0a P.NET..
<= Recv header, 37 bytes (0x25)
0000: 44 61 74 65 3a 20 53 75 6e 2c 20 31 31 20 4e 6f Date: Sun, 11 No
0010: 76 20 32 30 31 32 20 31 39 3a 34 37 3a 32 36 20 v 2012 19:47:26
0020: 47 4d 54 0d 0a GMT..
<= Recv header, 22 bytes (0x16)
0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length:
0010: 35 31 33 30 0d 0a 5130..
== Info: HTTP error before end of send, stop sending
<= Recv header, 2 bytes (0x2)
0000: 0d 0a ..
<= Recv data, 5130 bytes (0x140a)
0000: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 .<
0070: 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 html xmlns="http
0080: 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 ://www.w3.org/19
0090: 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 99/xhtml"> .<hea
00a0: 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 37 d> .<title>IIS 7
00b0: 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f .5 Detailed Erro
00c0: 72 20 2d 20 34 30 33 2e 30 20 2d 20 4d 6f 64 53 r - 403.0 - ModS
00d0: 65 63 75 72 69 74 79 20 41 63 74 69 6f 6e 3c 2f ecurity Action</
00e0: 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 title> .<style t
00f0: 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 ype="text/css">
0100: 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 . .</style> .
0a50: 0a 3c 2f 68 65 61 64 3e 20 0a 3c 62 6f 64 79 3e . .
0a60: 20 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 .

Server Er
0a80: 72 6f 72 20 69 6e 20 41 70 70 6c 69 63 61 74 69 ror in Applicati
0a90: 6f 6e 20 22 44 45 46 41 55 4c 54 20 57 45 42 20 on "DEFAULT WEB
0aa0: 53 49 54 45 22 3c 2f 68 31 3e 3c 2f 64 69 76 3e SITE"


0ab0: 20 0a 3c 64 69 76 20 69 64 3d 22 73 65 72 76 65 .

In
0ad0: 74 65 72 6e 65 74 20 49 6e 66 6f 72 6d 61 74 69 ternet Informati
0ae0: 6f 6e 20 53 65 72 76 69 63 65 73 20 37 2e 35 3c on Services 7.5<
0af0: 2f 70 3e 3c 2f 64 69 76 3e 20 0a 3c 64 69 76 20 /p>

.<div
0b00: 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 20 0a 3c id="content"> .<
0b10: 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 div class="conte
0b20: 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 20 0a nt-container"> .
0b30: 20 3c 66 69 65 6c 64 73 65 74 3e 3c 6c 65 67 65 <lege
0b40: 6e 64 3e 45 72 72 6f 72 20 53 75 6d 6d 61 72 79 nd>Error Summary
0b50: 3c 2f 6c 65 67 65 6e 64 3e 20 0a 20 20 3c 68 32 . <h2
0b60: 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 33 2e >HTTP Error 403.
0b70: 30 20 2d 20 4d 6f 64 53 65 63 75 72 69 74 79 20 0 - ModSecurity
0b80: 41 63 74 69 6f 6e 3c 2f 68 32 3e 20 0a 20 20 3c Action . <
0b90: 68 33 3e 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 h3>You do not ha
0ba0: 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f ve permission to
0bb0: 20 76 69 65 77 20 74 68 69 73 20 64 69 72 65 63 view this direc
0bc0: 74 6f 72 79 20 6f 72 20 70 61 67 65 2e 3c 2f 68 tory or page.</h
0bd0: 33 3e 20 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3> .
0be0: 20 0a 3c 2f 64 69 76 3e 20 0a 3c 64 69 76 20 63 . .<div c
0bf0: 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f lass="content-co
0c00: 6e 74 61 69 6e 65 72 22 3e 20 0a 20 3c 66 69 65 ntainer"> . <fie
0c10: 6c 64 73 65 74 3e 3c 6c 65 67 65 6e 64 3e 44 65 ldset>De
0c20: 74 61 69 6c 65 64 20 45 72 72 6f 72 20 49 6e 66 tailed Error Inf
0c30: 6f 72 6d 61 74 69 6f 6e 3c 2f 6c 65 67 65 6e 64 ormation</legend
0c40: 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d 22 64 65 > .
.
0c60: 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 . <tr cla
0ca0: 73 73 3d 22 61 6c 74 22 3e 3c 74 68 3e 4d 6f 64 ss="alt"><
0cd0: 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 3e 3c 74 /tr> . <t
0ce0: 68 3e 4e 6f 74 69 66 69 63 61 74 69 6f 6e 3c 2f h>Notification</
0cf0: 74 68 3e 3c 74 64 3e 42 65 67 69 6e 52 65 71 75 th> .
0d10: 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c </t
0d60: 72 3e 20 0a 20 20 20 20 3c 74 72 3e 3c 74 68 3e r> . <
0d80: 74 64 3e 30 78 30 30 30 30 30 30 30 30 3c 2f 74 td>0x00000000</t
0d90: 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 20 0a 20 d> . .
0da0: 20 20 3c 2f 74 61 62 6c 65 3e 20 0a 20 20 3c 2f
Mod
0cb0: 75 6c 65 3c 2f 74 68 3e 3c 74 64 3e 4d 6f 64 53 ule		ModS
0cc0: 65 63 75 72 69 74 79 49 49 53 3c 2f 74 64 3e 3c ecurityIIS
BeginRequ
0d00: 65 73 74 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 est
Handler</
0d30: 74 68 3e 3c 74 64 3e 50 61 67 65 48 61 6e 64 6c th>		PageHandl
0d40: 65 72 46 61 63 74 6f 72 79 2d 49 6e 74 65 67 72 erFactory-Integr
0d50: 61 74 65 64 2d 34 2e 30 3c 2f 74 64 3e 3c 2f 74 ated-4.0

0d70: 45 72 72 6f 72 20 43 6f 64 65 3c 2f 74 68 3e 3c Error Code
 . </
0db0: 64 69 76 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d div> . <div id=
0dc0: 22 64 65 74 61 69 6c 73 2d 72 69 67 68 74 22 3e "details-right">
0dd0: 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 . <table bord
0de0: 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 er="0" cellpaddi
0df0: 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 ng="0" cellspaci
0e00: 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 ng="0"> . <tr
0e10: 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68 class="alt"><th
0e20: 3e 52 65 71 75 65 73 74 65 64 20 55 52 4c 3c 2f >Requested URL</
0e30: 74 68 3e 3c 74 64 3e 68 74 74 70 3a 2f 2f 31 32 th>http://12
0e40: 37 2e 30 2e 30 2e 31 3a 38 30 2f 74 65 73 74 2e 7.0.0.1:80/test.
0e50: 61 73 70 78 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a aspx .
0e60: 20 20 20 20 3c 74 72 3e 3c 74 68 3e 50 68 79 73 Phys
0e70: 69 63 61 6c 20 50 61 74 68 3c 2f 74 68 3e 3c 74 ical Path<t
0e80: 64 3e 43 3a 5c 69 6e 65 74 70 75 62 5c 77 77 77 d>C:\inetpub\www
0e90: 72 6f 6f 74 5c 74 65 73 74 2e 61 73 70 78 3c 2f root\test.aspx</
0ea0: 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 td> . <t
0eb0: 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 r class="alt"><t
0ec0: 68 3e 4c 6f 67 6f 6e 20 4d 65 74 68 6f 64 3c 2f h>Logon Method</
0ed0: 74 68 3e 3c 74 64 3e 4e 6f 74 20 79 65 74 20 64 th>Not yet d
0ee0: 65 74 65 72 6d 69 6e 65 64 3c 2f 74 64 3e 3c 2f etermined</
0ef0: 74 72 3e 20 0a 20 20 20 20 3c 74 72 3e 3c 74 68 tr> . <th
0f00: 3e 4c 6f 67 6f 6e 20 55 73 65 72 3c 2f 74 68 3e >Logon User
0f10: 3c 74 64 3e 4e 6f 74 20 79 65 74 20 64 65 74 65 Not yet dete
0f20: 72 6d 69 6e 65 64 3c 2f 74 64 3e 3c 2f 74 72 3e rmined
0f30: 20 0a 20 20 20 20 20 0a 20 20 20 3c 2f 74 61 62 . . </tab
0f40: 6c 65 3e 20 0a 20 20 20 3c 64 69 76 20 63 6c 61 le> . <div cla
0f50: 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 ss="clear"></div
0f60: 3e 20 0a 20 20 3c 2f 64 69 76 3e 20 0a 20 3c 2f > .
. </
0f70: 66 69 65 6c 64 73 65 74 3e 20 0a 3c 2f 64 69 76 fieldset> .</div
0f80: 3e 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 > .
. <
0fb0: 6c 65 67 65 6e 64 3e 4d 6f 73 74 20 6c 69 6b 65 legend>Most like
0fc0: 6c 79 20 63 61 75 73 65 73 3a 3c 2f 6c 65 67 65 ly causes:</lege
0fd0: 6e 64 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c 69 nd> .
    .<li
    0fe0: 3e 54 68 69 73 20 69 73 20 61 20 67 65 6e 65 72 >This is a gener
    0ff0: 69 63 20 34 30 33 20 65 72 72 6f 72 20 61 6e 64 ic 403 error and
    1000: 20 6d 65 61 6e 73 20 74 68 65 20 61 75 74 68 65 means the authe
    1010: 6e 74 69 63 61 74 65 64 20 75 73 65 72 20 69 73 nticated user is
    1020: 20 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 20 not authorized
    1030: 74 6f 20 76 69 65 77 20 74 68 65 20 70 61 67 65 to view the page
    1040: 2e 3c 2f 6c 69 3e 20 3c 2f 75 6c 3e 20 0a 20 3c .
. <
1050: 2f 66 69 65 6c 64 73 65 74 3e 20 0a 3c 2f 64 69 /fieldset> .</di
1060: 76 3e 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 v> .
.
1090: 3c 6c 65 67 65 6e 64 3e 54 68 69 6e 67 73 20 79 Things y
10a0: 6f 75 20 63 61 6e 20 74 72 79 3a 3c 2f 6c 65 67 ou can try:</leg
10b0: 65 6e 64 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c end> .
    .<l
    10c0: 69 3e 43 72 65 61 74 65 20 61 20 74 72 61 63 69 i>Create a traci
    10d0: 6e 67 20 72 75 6c 65 20 74 6f 20 74 72 61 63 6b ng rule to track
    10e0: 20 66 61 69 6c 65 64 20 72 65 71 75 65 73 74 73 failed requests
    10f0: 20 66 6f 72 20 74 68 69 73 20 48 54 54 50 20 73 for this HTTP s
    1100: 74 61 74 75 73 20 63 6f 64 65 2e 20 46 6f 72 20 tatus code. For
    1110: 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e more information
    1120: 20 61 62 6f 75 74 20 63 72 65 61 74 69 6e 67 20 about creating
    1130: 61 20 74 72 61 63 69 6e 67 20 72 75 6c 65 20 66 a tracing rule f
    1140: 6f 72 20 66 61 69 6c 65 64 20 72 65 71 75 65 73 or failed reques
    1150: 74 73 2c 20 63 6c 69 63 6b 20 3c 61 20 68 72 65 ts, click <a hre
    1160: 66 3d 22 68 74 74 70 3a 2f 2f 67 6f 2e 6d 69 63 f="http://go.mic
    1170: 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e rosoft.com/fwlin
    1180: 6b 2f 3f 4c 69 6e 6b 49 44 3d 36 36 34 33 39 22 k/?LinkID=66439"
    1190: 3e 68 65 72 65 3c 2f 61 3e 2e 20 3c 2f 6c 69 3e >here.
    11a0: 20 3c 2f 75 6c 3e 20 0a 20 3c 2f 66 69 65 6c 64
. </field
11b0: 73 65 74 3e 20 0a 3c 2f 64 69 76 3e 20 0a 20 0a set> .
. .
11c0: 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f .<div class="co
11d0: 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 ntent-container"
11e0: 3e 20 0a 20 3c 66 69 65 6c 64 73 65 74 3e 3c 6c > . <l
11f0: 65 67 65 6e 64 3e 4c 69 6e 6b 73 20 61 6e 64 20 egend>Links and
1200: 4d 6f 72 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e More Information
1210: 3c 2f 6c 65 67 65 6e 64 3e 20 0a 20 20 54 68 69 . Thi
1220: 73 20 67 65 6e 65 72 69 63 20 34 30 33 20 65 72 s generic 403 er
1230: 72 6f 72 20 6d 65 61 6e 73 20 74 68 61 74 20 74 ror means that t
1240: 68 65 20 61 75 74 68 65 6e 74 69 63 61 74 65 64 he authenticated
1250: 20 75 73 65 72 20 69 73 20 6e 6f 74 20 61 75 74 user is not aut
1260: 68 6f 72 69 7a 65 64 20 74 6f 20 75 73 65 20 74 horized to use t
1270: 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 he requested res
1280: 6f 75 72 63 65 2e 20 41 20 73 75 62 73 74 61 74 ource. A substat
1290: 75 73 20 63 6f 64 65 20 69 6e 20 74 68 65 20 49 us code in the I
12a0: 49 53 20 6c 6f 67 20 66 69 6c 65 73 20 73 68 6f IS log files sho
12b0: 75 6c 64 20 69 6e 64 69 63 61 74 65 20 74 68 65 uld indicate the
12c0: 20 72 65 61 73 6f 6e 20 66 6f 72 20 74 68 65 20 reason for the
12d0: 34 30 33 20 65 72 72 6f 72 2e 20 49 66 20 61 20 403 error. If a
12e0: 73 75 62 73 74 61 74 75 73 20 63 6f 64 65 20 64 substatus code d
12f0: 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 2c 20 75 oes not exist, u
1300: 73 65 20 74 68 65 20 73 74 65 70 73 20 61 62 6f se the steps abo
1310: 76 65 20 74 6f 20 67 61 74 68 65 72 20 6d 6f 72 ve to gather mor
1320: 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 e information ab
1330: 6f 75 74 20 74 68 65 20 73 6f 75 72 63 65 20 6f out the source o
1340: 66 20 74 68 65 20 65 72 72 6f 72 2e 20 0a 20 20 f the error. .
1350: 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70

V
13b0: 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 iew more informa
13c0: 74 69 6f 6e 20 26 72 61 71 75 6f 3b 3c 2f 61 3e tion »
13d0: 3c 2f 70 3e 20 0a 20 20 20 0a 20 3c 2f 66 69 65

. . </fie
13e0: 6c 64 73 65 74 3e 20 0a 3c 2f 64 69 76 3e 20 0a ldset> .
.
13f0: 3c 2f 64 69 76 3e 20 0a 3c 2f 62 6f 64 79 3e 20 .
1400: 0a 3c 2f 68 74 6d 6c 3e 20 0a . .
== Info: Closing connection #0

@ghost ghost assigned zimmerle Oct 17, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zimmerle @rcbarnett-zz