Forum

400 Bad request

Samiux
12 May 2010, 05:25


Hiawatha version: 7.2
Operating System: Ubuntu Server 10.04 LTS

I am also running Ubuntu provided phpmyadmin. When I want to delete or add an entry into a table, I got a "400 Bad request" error message.

By the way, I am also running apparmor in complain mode on hiawatha and php5-cgi.

Any idea?
Hugo Leisink
12 May 2010, 09:11
phpMyAdmin sometimes generates some weird URLs (lots of %xx in the URL). Presence of such characters can indicated an attack on your website, therefor Hiawatha refuses requests which has those characters in the URL. You can use the SecureURL setting to disable this security check.

VirtualHost {
...
SecureURL = false
}
Samiux
12 May 2010, 11:35
I deleted the following settings and applied your suggestion. The problem is solved and no more 400 Bad Request error. However, I would like to protect the phpmysql with the following settings. How can I do it?

PreventCSRF
PreventSQLi
PreventXSS

Hugo Leisink
12 May 2010, 12:02
The PreventCSRF and PreventSQLi won't cause the problem. The PreventSQLi is not really required, because phpMyAdmin is secure enough. It's the PreventXSS which can cause problems, because it affects the URL.

In my opinion, the best way to protect phpMyAdmin is to use SSL and use the AccessList to allow access for your IP's, use HTTP authentication for IP's of, for example, your work, and deny the rest. That will be more than secure enough.
VirtualHost {
...
RequireSSL = yes
AccessList = allow <your_ip>, pwd <work_ip>, deny all
PasswordFile = basic:/path/to/passwordfile
}
Samiux
12 May 2010, 12:20
Thank you for the suggestion. I think phpmyadmin should be opened for intranet only.

When I enabled PreventCSRF and PreventSQLi, the problem comes back. So, I disabled them all and it is opened for local IPs only.
This topic has been closed.