403 error for save <SCRIPT> into file on the server

Discussion in 'Java JSP/Servlet' started by saeeded, Jun 5, 2012.

  1. saeeded

    saeeded New Member

    hi and sorry for my English
    i write an small application by PHP that read/write html/or/txt file by simple form.
    .
    its worked as well until server updated by litespeed protection method.
    .
    here it is my code ------> do.php
    PHP:
    <?php
    // set file to read
    $filename "xx.txt";
      
    $newdata $_POST['newd'];

    if (
    $newdata != '') {

    // open file 
    $fw fopen($filename'w') or die('Could not open file!');
    // write to file
    // added stripslashes to $newdata
    $fb fwrite($fw,stripslashes($newdata)) or die('Could not write to file');
    // close file
    fclose($fw);
    }
     
    ?> 
    and by this form i get data to store into "xx.txt" file :

    PHP:
    <?php
    $filename 
    "xx.txt"
    $fh fopen($filename"r") or die("Could not open file!");
    $data fread($fhfilesize($filename)) or die("Could not read file!");
    ?>
    <html>
    <form action='do.php' method= 'post' >
    <textarea name='newd' cols='100%' rows='50'><?php print $data ?> </textarea>
    <input type='submit' value='Save Data'>
    </form>
    </html>
    its will accept all character or html tags by this form and will stored into TXT file, but when i want to save <script> character alone or middle html tags, litespeed return error

    403 Forbidden
    " Access to this resource on the server is denied!"
    Powered By LiteSpeed Web Server
    ....
    .
    this 403 error will not reported apache error logs.
    how can i resolve this problem ?!

    thanks for your attention.
  2. NiteWave

    NiteWave Administrator

    it may trigger certain "Request Filter" rule.

    check
    lsws admin console->Server->Request Filter, disable "XSS attack" rule if it's enabled.
  3. saeeded

    saeeded New Member

    thanks "Nite wave" for your reply
    .
    Im just a client on the server and can not access to the server configuration.
    .
    Litespeed does have .htaccess file (same as appache) to listen each folder by configured rule ?! (for security)
    .
    or can i resolve this issue by scripting ?
  4. NiteWave

    NiteWave Administrator

    may be not. try to ask your host to disable that rule.
    if that rule already disabled, then maybe mod_security plugin for cPanel has been installed by your host, that acts same as request filter but more powerful and complex.

Share This Page