| Author |
Message |
Cirque
Hangin' Around
Joined: Oct 10, 2004
Posts: 35
|
 Posted:
Sat Nov 06, 2004 7:26 pm |
|
Date & Time: 2004-11-06 16:31:19
Blocked IP: XX.XX.XX.XX
User ID: SOMEUSERNAME (####)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3
Query String: www.MYDOMAIN/modules.php?name=Encyclopedia&file=search&query=concat
Forwarded For: none
Client IP: none
Remote Address: XX.XX.XX.XX
Remote Port: 12141
Request Method: GET
============
Why is the above (EDITED) triggering off as bad and blocking that user because of filters? |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat Nov 06, 2004 9:14 pm |
|
"concat" is a filtered word that XSS sometimes use.
Look for this code in includes/sentinel.phpCode: // Check for XSS attack
if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {
|
Remove it or comment it out at your own risk. |
| |
|
|
|
|
Cirque
|
| Posted:
Sat Nov 06, 2004 9:40 pm |
|
Thats a bummer, its a command listed in my enclyopedia which users sometime search for. Is there anything more that I could add instead of removing it? "concat<SOMELETTER>" like "concatb" if there was more to that string usually sent? |
| |
|
|
|
|
Cirque
|
| Posted:
Sat Nov 06, 2004 9:43 pm |
|
Perhaps:
Code:
if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring) AND !eregi("y=concat",$querystring)) {
|
Would work? |
| |
|
|
|
|
Raven
|
| Posted:
Sat Nov 06, 2004 9:45 pm |
|
Try it and find out  |
| |
|
|
|
|
Cirque
|
| Posted:
Sat Nov 06, 2004 9:58 pm |
|
Nope.. sure doesnt work. And searching for concat here is not a good idea. When I clicked on the resulting searchs found, I got sentinel'ed. heh. So any ideas on anything I can add to the word concat that would be used in the attack but not trigger if they only search for exactly concat? |
| |
|
|
|
|
Raven
|
| Posted:
Sat Nov 06, 2004 10:07 pm |
|
|
|
|
|
Cirque
|
| Posted:
Sat Nov 06, 2004 10:10 pm |
|
That worked, I was able to search here and click through on the result without being banned. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Nov 06, 2004 10:17 pm |
|
|
|
|
|
Cirque
|
| Posted:
Sat Nov 06, 2004 10:21 pm |
|
Oh.. well you had me a little worried that someone would XSS attack me if I did that.. was hoping for a way to be safe and still allow people to search for concat. Oh well.. guess I can unban them all the time. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Nov 06, 2004 10:24 pm |
|
There is but I am involved in a project right now and can't tend to it. If someone else doesn't help you with this get back to me in a day or so. |
| |
|
|
|
|
Cirque
|
| Posted:
Sat Nov 06, 2004 10:30 pm |
|
Ya, no rush, I will check back in a couple, rather unban a couple people now and again then open up holes whenever possible. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
