Discussion: String Blocks

registered · Posted: Wed Sep 27, 2006 8:46 pm

Is there a way we can make our generic blocking strings more specific? That way we won't get so many false positives?

Can uni0n attacks be done without "uni0n select"?
Can sc ript code be allowed certain domains only.. say popular googlesyndication.com or a list the admin can add to?

Are there just certain things we need to keep... like http-ref, embed, etc off?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Maybe blocking strings could be more specific, but with a lot of effort in testing. And retesting. And then someone would find a way around it...

Haven't tried a uni0n delete or insert - not sure that's possible.

Limiting scr ipt to allowed remote domains is an interesting idea. Maybe you could do the same approach for embed, etc.

registered · Posted: Thu Sep 28, 2006 5:35 am

Something Bob was talking about awhile back was also a way for the admin to add "exclusions" to the string blocker, in a similar fashion as we add new user agent strings for the Harvester Blocker, but it just works in the opposite manner.

Posted: Thu Sep 28, 2006 11:08 am

union union union
script script script
alert alert alert

Confused

registered · Posted: Thu Sep 28, 2006 3:12 pm

The answer is yes. I replaced a good part of the string blocker in Evo because its not a good way to do it in my opinion. Here is what we are going to be using in v3 most likely. I have trimed some of the code from the class because its not done. But here is the jist of it.

Code:




define('REGEX_UNION','#\w?\s?union\s?\w*?\s?(select|all|distinct|insert|update|drop|delete)#is');


define('REGEX_XSS_HTML','#http:\/\/.*#is');


define('REGEX_XSS_DOT','#\.\/#i');


define('REGEX_STRIP_SPACES','/\s{1,}/');


define('REGEX_STRIP_COMMENTS','/\s?\/\s?\*\s*?\w*?\s*?\*\s?\/\s?/i');





class security {


    


    var $log = null;


    


/*-----------


    In:     N/A


    Out:    N/A


    Notes:  Constructor


  -----------*/


    function security() {


        global $cookie, $text;


        


        //Create a new log


        $this->log =& new log('security.log');


        


        //Run default security


        $this->_default();





    }





/*-----------


    Function:    sanitize()


    In:          $item


                     - Item to sanitize


                 $strip


                     - Strip Quotes (Default = false)


    Return:      Sanitized item


    Notes:       $s = preg_replace(REGEX_STRIP_SPACES, ' ', $s);


                     -Removes all the spaces beyond a single space


                 $s = preg_replace(REGEX_STRIP_COMMENTS, ' ', $s);


                     -Removes comments


                 $s = preg_replace(REGEX_FIX_UNION, ' UNION ', $s);


                     -Fixes the word union if is gets broken up





                 This will allow /%2a%2a/UN/%2a   %2a/ION to get changed to UNION


  -----------*/


    function sanitize($item, $strip=false) {


        if( empty($item)) {


            return '';


        }


        //If the item is an array


        if (is_array($item)) {


            $rebuilt = array();


            foreach($item as $key => $part) {


                //Uppercase, tranform html characters, and decode url


                $s = htmlspecialchars(urldecode(strtoupper($part)));


                //Fix strings


                $s = preg_replace(REGEX_STRIP_COMMENTS, ' ', $s);


                $s = preg_replace(REGEX_STRIP_SPACES, '', $s);


               //Strip quotes?


                if ($strip) {


                   //<--Fix


                   //$s = Fix_Quotes(stripslashes($s));


                }


                //Rebuild array


                $rebuilt[$key] = $s;


            }


            return $rebuilt;


        //If the item is not an array


        } else {


            //Uppercase, tranform html characters, and decode url


            $s = htmlspecialchars(strtoupper(urldecode($item)));


            //Fix string


            $s = preg_replace(REGEX_STRIP_COMMENTS, '', $s);


            $s = preg_replace(REGEX_STRIP_SPACES, '', $s);


            //Strip quotes?


            if($strip) {


               //<-- Fix


               //$s = Fix_Quotes(stripslashes($s));


            }


            //Return string


            return $s;


        }


    }


    


/*-----------


    In:     $username


                The username to set the ban to


    Out:    T/F


    Notes:  Changes the users banned field to true


  -----------*/





    function _set_ban($username) {


        global $db, $constants;


        


        if (empty($username) || !is_array($constants)) {


            return false;


        }


        


        $db->sql_query('UPDATE `'.$constants['tables']['users'].'` SET `banned`=1 WHERE `username`="'.$username.'"');        


        


        return true;


    }


    


   // taken from phpbb 3 will right a better function after i done the template class, using it becuase it secure the connection :)


   


   /*


   * Remove variables created by register_globals from the global scope


   * Thanks to Matt Kavanagh


   */


   function _unregister_globals()


   {


      $not_unset = array(


         'GLOBALS'   => true,


         '_GET'      => true,


         '_POST'      => true,


         '_COOKIE'   => true,


         '_REQUEST'   => true,


         '_SERVER'   => true,


         '_SESSION'   => true,


         '_ENV'      => true,


         '_FILES'   => true


      );


      


      // Not only will array_merge and array_keys give a warning if


      // a parameter is not an array, array_merge will actually fail.


      // So we check if _SESSION has been initialised.


      if (!isset($_SESSION) || !is_array($_SESSION))


      {


         $_SESSION = array();


      }


      


      // Merge all into one extremely huge array; unset this later


      $input = array_merge(


         array_keys($_GET),


         array_keys($_POST),


         array_keys($_COOKIE),


         array_keys($_SERVER),


         array_keys($_SESSION),


         array_keys($_ENV),


         array_keys($_FILES)


      );





      foreach ($input as $varname)


      {


         if (isset($not_unset[$varname]))


         {


            // Hacking attempt. No point in continuing.


            $this->exploit('register_globals', 'Register Globals');


         }


      


         unset($GLOBALS[$varname]);


      }


      


      unset($input);


   }


   


/*-----------


    In:     N/A


    Out:    N/A


    Notes:  Runs through some default security checks


  -----------*/


    function _default() {


       


       //DOS check


      if (empty($_SERVER['HTTP_USER_AGENT']) || $_SERVER['HTTP_USER_AGENT'] == '-' || !isset($_SERVER['HTTP_USER_AGENT'])) {


         die('DOS');


      }


      


      // If we are on PHP >= 6.0.0 we do not need some code (this could change so we keep close eye on php.net :)


      if (PHP6)


      {


         /**


         * @ignore


         */


         define('STRIP', false);


      }


      else


      {


         set_magic_quotes_runtime(0);


         


         // Be paranoid with passed vars


         if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')


         {


            $this->_unregister_globals();


         }


         


         define('STRIP', (get_magic_quotes_gpc()) ? true : false);


      }


      


      //If there is a request string


      if(isset($_SERVER['QUERY_STRING'])) {


         //Sanitize the string


         $item = $this->sanitize($_SERVER['QUERY_STRING'], get_magic_quotes_gpc());


         //Check for XSS & UNION attacks


         if (preg_match(REGEX_XSS_DOT, $item)) {


            $this->exploit('XSS_DOT', 'XSS');


         }


         if (preg_match(REGEX_XSS_HTML, $item)) {


            $this->exploit('XSS_HTML', 'XSS');


         }


         if (preg_match(REGEX_UNION, $item)) {


            $this->exploit('UNION', 'UNION');


         }


      }


   }


}