PHP file is displaying generic 403 Forbidden

Benjamin D.

• October 19, 2017 06:19

Since I upgraded to v66.0 I'm getting a FORBIDDEN 403 error only on 1 PHP script. It's a Paypal notification PHP script on our server that they call when a transaction is processed) There is no error_log even if error_reporting(E_ALL); chown + chgrp is the cPanel user's. Tried permissions 0755, 0644, same as any other working PHP script in the same directory. Tried renaming the file, still outputs a generic 403 Forbidden message. Last modification date on that file: 2013-10-05, that's 4 years ago, has always worked pristinely. Pulling my hair out. WTF?

• 

  Benjamin D.

  • October 19, 2017 11:35

  I found the solution in another forum. ModSecurity has 2 rules that were interfering with my script, hope this helps somebody coming here in the future: If your PHP script has ANY passed variable named "session_id" (POST, GET, COOKIE, etc...?) even if it has nothing to do with PHP's sessions at all (e.g.: $_POST['session_id"> = "This is arbitrary content or my own session ID that has nothing to do with PHP sessions.") then ModSecurity will cut the execution and display a generic 403 Forbidden when your script is called. The 2 rules to disable (or duplicate and modify) in WHM > ModSecurity" Tools > Rules list (top right) were: # 943110 # 943120 (or just search your variable's name in the search bar and check for other rules containing them in their RegEx) Problem solved :)

  0
• 

  cPWilliamL

  • October 19, 2017 14:15

  Glad to see you found the issue @Benjamin D. and thanks for sharing the solution!

  0

Please sign in to leave a comment.