SECURITY ISSUE: %3f redirect

@LeonidS my friend, I am hoping you can help me here.

The share pop-up on my site, and other redirect URLs are going to

domain.com/redirect?url=https%3A%2F%2Fwww.facebook.com%2Fsharer%2Fsharer.php%3Fu%3

It throws a 403.

Do you know why this could be happening? And where it is controlled from? Having a hard time tracking it. Since pop-up share here works, it must be something I've done, or missed/forgot to update?

Thank you!

  • Up vote
    1
    Down vote
  • View
    962
  • More
Replies (2)

    • Ok, so we have a security issue. I am asking @Anton L @LeonidS @Alex T⚜️ to please provide a quick fix. I will explain.

      Apache had a vulnerability. It was patched July 2024. My server would not allow redirects with ? urlencoded.

      Apache error log:

      Unsafe URL with %3f URL rewritten without UnsafeAllow3F

      So, tracking this error, brought me to:

      https://stackoverflow.com/questions/78729429/403-forbidden-when-url-contains-get-with-encoded-question-mark-unsafeallow3f

      I was able to get a temporary fix by changing UNA .htaccess to:

      18  RewriteRule ^(.+)$ r.php?_q=$1 [QSA,L,UnsafeAllow3F]

      Now, the rewrite allows the %3f rewrite, but this is a security issue, and it should not be something set to the side.

      We need to change where the URL encoding is, where is this handled for redirects? Which class or js file. This fix works:

      $url = rawurlencode(str_replace('?','?',$url))

      Just need to know where the redirect is in code. Please reply ASAP.

      Thank you!

      • Also, anyone not seeing this error in Apache, upgrade Apache. Two vulnerabilities were patched, one being 9.1/10 on CVE score.

        Login or Join to comment.