Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

#40
Humm...  Sounds like the same thing Kindred saw with his unsorted member groups.  I should have a fix soon.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Ok, version 1.0.1 fixes the blank white page admin screen issue.  Those who get this error should uninstall and install the new revision.  For all others upgrade is optional.
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

KensonPlays

Thanks for this! I'll have this, stop spammer, and httpBL now! (Already with just other two 600+ spammers blocked :) )

flapjack

in only an hour after installing the same combo I had over 100 spammers blocked

busterone

#44
I have a situation that has me puzzled. The answer may be right in front of me, but I can't see it.  :)
With SQL Injection test enabled, the mod is flagging my normal members as hack attempts whenever they try to delete a personal message from their inbox.
This is an example of the header it recorded
GET /index.php?action=pm;sa=pmactions;pm_actions[40707]=delete;f=inbox;start=0;b5c9d1f=f9386db172f6d1b4743fc971b796f7c1
HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729) SearchToolbar/1.2 http://www.thedemonsden.com/index.php?action=pm;f=inbox;l=-1;done=sent
and the reason column says - Hack: Disallowed characters! 


another member is flagged doing the same, attempting to delete a PM.  They both have reported to me that they got a 403 error when attempting to delete PMs
this one's header was
GET /index.php?action=pm;sa=pmactions;pm_actions[40617]=delete;f=inbox;start=1740;f6dd1f7f0=4ffba150984c26ed3fc2d8af50b28918
HTTP/1.0 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 http://www.thedemonsden.com/index.php?action=pm;f=inbox;l=-1;sort=date;start=1740
same reason- Hack: Disallowed characters!

I confirmed the IPs are of the respective users. What am I missing here? It should not be blocking normal forum operations.

Sorry, I forgot to post my version. RC4 - No errors were in the error log either.

butchs

I did not test that one.  What was the first reason in the logs?  There it usually lists the offending character.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone

nope, it just said Hack: Disallowed characters!  without listing the offending character. And nothing in the forum error log.
I just disabled injection test for the time being so they can carry own as usual. 
I will be away for most of the day, but when I return, I can re enable it and see if I can get more info. 

Am'

اذا أحس أحد انه لم يخطأ ابدا في حياته, فهذا يعني أنه لم يجرب أي جديد في حياته
My Mods For SMF 2 RC3 : XQuote XCode - Vbulletin Style New Meta Tags

THE BRA1N

Quote from: butchs on January 17, 2011, 08:31:12 PM
Ok, version 1.0.1 fixes the blank white page admin screen issue.  Those who get this error should uninstall and install the new revision.  For all others upgrade is optional.
8)

Indeed, that flawlessly fixed the white page issue for me. Great work and great mod.




kat

Quote from: butchs on January 15, 2011, 09:45:56 PMIt was a typo...  BB is a separate mod.   :o

Thanks for clarifying. :)

busterone

Quote from: Arantor on January 18, 2011, 05:05:09 PM
The disallowed characters in the log are [ and ] which wouldn't normally be in URLs but can be. Additionally if it flags that, it might also flag up certain circumstances of searching where stuff is base64 encoded and pushed through the URL that way.
I am not quite sure I am following you here. If I am getting you, that is part of the SMF code for deleting pms, and the only thing to do is to keep the injection test turned off?

butchs

#51
Be nice Arantor.  ;)  I started writing this mod this time last year.  It has months of testing, took many months to get approved and many people have used it with no major issues.   O:)

busterone, I just came home and turned off the admin check on my test server and deleted 5 PM's, then 1 and finally a whole row of PM's with no errors in the FF visitor log for SMF 2.0 RC4.  Honestly, I am not sure if "[" or "]" are even used by SMF.  I have to check.

Needless to say, the mod is fully admin adjustable.  So if  "[" or "]" are required by SMF or you do not care about your admins security then all you need to do is edit the "Permitted URI Characters" regular expression.  8)

Try changing it from a-z 0-9~%$,.:;&#?/+=_\- to a-z 0-9~%$,.:;[]&#?/+=_\- May do the trick (someone better with this regex patterns may have a better idea).  Personally I will have to advise against it unless someone can prove if they are required characters.
  :P
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

geminisnake

Tried installing the latest version on 1.1.12 and got:

Fatal error: Call to undefined function FFCopyright() in /home/dark/public_html/forum/Sources/Load.php(1733) : eval()'d code on line 373

Haven't been able to work it out yet ...  :)
>>>W128.GeminiSnake.NEO<<<

"An application used to be something we filled out"

busterone

Thanks butchs,  I was wondering that myself, but I got busy with some other stuff and haven't had time to post back yet. 

I will try it for awhile and see what happens. I doubt that by changing it to your suggestion will reduce the security too much, considering the amount of forums that run without this mod anyway, so what can it hurt.
I am open to any other ideas that Arantor or anyone else may have as well.  I am sure we can work out any quirks that come up.  :)

butchs

#54
Quote from: Arantor on January 19, 2011, 02:28:51 AM
Hey, just pointing out that it is, right now, too sensitive, not trying to dig on your turf or anything...

The mod can be adjusted.  The default settings are strict as per many internet standards.  If someone prefers less secure then any one can adjust and turn off and on settings.  For a small site all you really need is the DOS and IP check settings.   8)

The reason your statement concerns me is because it is a blanket statement and can be misunderstood.  It could cause an admin to make an error.  Take for example the following:

One user reported that google was getting blocked most of the time.  He thought it was a sensitivity issue.  That was incorrect and the banned addresses were simply google impostors looking for vulnerability (If you look at the pctweakr thread you will see how to check it).  The robots.txt and google settings were looked at, no changes to FF were made and a few weeks later google was still at the site this time it was the real google.  :o

So please post up any changes you recommend.  I made it adjustable for that reason... Maybe in a future version I can add:  high, medium and low security settings.   :-X

I for one prefer to make sure that the character are in fact used by SMF instead of adding one just to be safe.

Quote from: Arantor on January 19, 2011, 02:28:51 AM
I really hope that's being pushed through preg_quote first seeing how [, ], $, ? and + are all special characters in regular expressions, but judging by the \- I'm assuming not...

Impressive.  Yes, FF uses "preg_quote".

I will be the first to admit that I am not a regex pattern guy.  So far I have been using a pattern based off of an edited version of the popular "CodeIgniter" pattern.  I used that pattern because that program published patterns for many languages.  It seems to work?  It will be nice to see better patterns...   :D

Quote from: Arantor on January 19, 2011, 02:28:51 AM
The practical answer is that the effective change on security is not significant by adding these legitimate URL characters into the mix, when SMF does use them. If you're really paranoid of course you could rewrite where the URLs are generated and processed but that's not really recommended.

I can not agree more.  :)

Still, I am paranoid when it comes to security.  I get nervous when it comes to PM's because I recall an attack on vbulliteen  :-[ where someone sent loaded PM's to admins (not that I know anything about that) in order to read their cookies and get their passwords.

But if you say it is used then I must bow to your high SMF expertise.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

henrik1782

#55
Hi Butchs....

I suddenly get this error from a regular user:

80.162.225.97 Gæst Beklager Gæst, du er udelukket fra at bruge dette forum!
DOS Attack!
Denne bandlysning er sat til at udløbe 21. Januar 2011, 13:58:57 pm.
?action=enotify I dag ved 22:16:53

It is strang because when I look in the visitors log the last log event is:

981 213.46.136.183 2011-01-20 20:09:59 GET /index.php/topic,116.0.html?PHPSESSID=34c429d9c82bc3b096fbbb9160636ea5 HTTP/1.1 Java/1.6.0_23 http://192.168.1.10:8080/cgi-bin/index.cgi#  DOS Attack!

Could this possible be virus on her computer causing this ?
My favorite mods: Forum Firewall, httBL, MessagePreviewOnHover, BoardHover Mod, VB Style Board Index, Separate Replies and Views Column, Realtime clock by Joker, ENotify, Topic Solved.

henrik1782

The user has been banned from the board, do you have any suggestions on how to avoid this in the future...?
My favorite mods: Forum Firewall, httBL, MessagePreviewOnHover, BoardHover Mod, VB Style Board Index, Separate Replies and Views Column, Realtime clock by Joker, ENotify, Topic Solved.

henrik1782

Ok.. thanks.

I could se in the log that Enotify and Forum Firewall is not a perfect match. Do you know any alternatives to Enotify.

Best regards
Henrik
My favorite mods: Forum Firewall, httBL, MessagePreviewOnHover, BoardHover Mod, VB Style Board Index, Separate Replies and Views Column, Realtime clock by Joker, ENotify, Topic Solved.

henrik1782

Thanks a lot Arantor for your help.

Best regards
Henrik
My favorite mods: Forum Firewall, httBL, MessagePreviewOnHover, BoardHover Mod, VB Style Board Index, Separate Replies and Views Column, Realtime clock by Joker, ENotify, Topic Solved.

Bagheera

#59
First, thank you for your hard work, its really appreciated  :D

I installed it and looks like it works perfectly. I have a question about, what to turn on. I am technically challenge in stuff like that  :-X 
In the pic you can see what I did so far. Can you tell me what else I can turn on or what else I can set it up?

Thank you

Advertisement: