Forum Firewall

[qtime]

Is there a way to monitor certain queries, like:
SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt FROM form_members WHERE emailAddress

[butchs]

Yes, enter it in the admin configurable fields.  Read the built in help for more info.

[qtime]

Yes, enter it in the admin configurable fields.  Read the built in help for more info.

thanks for reply, I know the admin panel options, but was wondering in which box it should be added.

[butchs]

thanks for reply, I know the admin panel options, but was wondering in which box it should be added.

I would add a query to the Injection List.  Codes must be entered in the format of "XX|YY" where XX and YY are the Attack Codes.  ie

Code Select Expand

SELECT passwd|ID_MEMBER|ID_GROUP|lngfile|is_activated|emailAddress|additionalGroups|memberName|passwordSalt FROM form_members WHERE emailAddress

Interesting, is this information you found from attacks?

[qtime]

ah thanks a lot, now I understand the XX|YY

[DarkBlizz]

outa curiousity why is the link "Protected by Forum Firewall" linked to http://www.eastcoastrollingthunder.com o.O??

[butchs]

You can remove it, look at the Forum Firewall about for more info on how to do it.

[NanoSector]

outa curiousity why is the link "Protected by Forum Firewall" linked to http://www.eastcoastrollingthunder.com o.O??

And why the heck is that site blocking me? I hate those sites -.-''

Gotta protect my site with this bad boy

[butchs]

Ooops...  Its just a Car Club site.  I blocked many non-USA countries with the mod using the "Country Identification" feature.

[Storman™]

Hi butchs

Got a problem with FF blocking Aeva   

It's a new RC5 site and only running in test mode at the moment so not a big deal, but I'm getting these as attempted hacks when they are not:

Reason: Hack: Repeated!

GET /index.php?action=media;sa=album;in=6 HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 http://www.mysite.com/index.php?action=media;sa=mass;album=6

--------------------------------

Reason: Hack: Repeated!

GET /index.php?action=media;sa=media;in=12;preview HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 http://www.mysite.com/index.php?action=media;sa=album;in=6

--------------------------------

Reason: Hack: %3d!

POSTFilename: my_image.jpg Upload: Submit Query /index.php?action=media;sa=mass;album=6;xml;upcook=YTo0OntpOjA7czoxOiI1IjtpOjE7czo0MDoiZjVjYjg4Y2I2YzAwZGUzMzk5MzFlMjFjNmJkY2EzZmZjODVmNGRiNSI7aToyO2k6MTQ5MzM4NTMyNztpOjM7aTowO30%3D HTTP/1.1 Shockwave Flash

Any idea on how to resolve so that these are not deemed to be attempted hacks ?

Basically all that was happening when I got the above was either uploading or previewing images in Aeva.

Cheers 

[butchs]

The hack repeated is just your cache blocking it after the first attempt.  The mod does this to slow down spam bots.  You need to look at the first block in your visitor log to identify the root cause.  My guess is that

Reason: Hack: %3d!

is the root cause of your issue.

%3d

is the hexidecimal equivalent of

=

This should not be in the code.  I can only assume that this is an isolated incident for the one flash link?  If so do not use that link.  If not, then it is just a typo in Aeva so you can either go to the Aeva support board and ask them to remove the trailing

%3d

or you can remove it from the "Injection List".   Not recommend .   

A little about Aeva.  First if you have the paid version I can not support it whit this mod. I had the free version at my site a while back and actually added some code to FF to make it work with Aeva.  But I was unhappy with how it worked so I removed Aeva and kept the workaround code in the mod.

With that said.  It is my opinion that Aeva makes way too may calls to the SMF core which actually slows down the site.  Do not get me wrong.  It is easy and works great but it sucks up way too much bandwidth for my old school tastes.  Support for Aeva with this mod is limited.

[Kindred]

hmmm....   just so you know, I have seen = be used in the sessionID string that is appended to urls.

[butchs]

= is not an issue it is only an issue if it is hex encoded as per RFC 3986.

To STRICTLY comply with RFC 3986 the links should be sanitized as follows:

from  => to
"%21" => "!"
"%2A" => "*"
"%27" => "`"
"%28" => "("
"%29" => ")"
"%3B" => ";"
"%3A" => ":"
"%40" => "@"
"%26" => "&"
"%3D" => "="
"%2B" => "+"
"%24" => "$"
"%2C" => ","
"%2F" => "/"
"%3F" => "?"
"%25" => "%"
"%23" => "#"
"%5B" => "["
"%5D" => "]"

FF was not designed to sanitize, that is the job of SMF et al (possibly Aeva).  FF is designed to block bad things.  The default intent to strictly adhere to internet standards.  This is why the hex encoded = is blocked.

The beauty of FF is that the admin can edit all the criterion and if they choose they can allow hex encoded ='s... relaxing the default intent.

[Kindred]

what I am trying to say is that I saw = in the sessionID string... not a urlencoded = (%3d), an ACTUAL =.

[teos55]

Hi to all,

  Running smf 1.1.13  and BB installed with default theme.  During apply stage I got the follwing error msg.

"Execute Modification   ./Themes/default/index.template.php   Test failed"

  I have the following line in ./Themes/default/index.template.php

theme_copyright() . get2by2host_copyright(),

   Read all the pages, but nobody reported such thing, most probably some other modification issue,  can you shed some light on this ?



nb1.  After some search,  it seems that "get2by2host_copyright()" comes from Twitter @anywhere.
  I removed it (the code from "global headers and footers while ago", but seems that code remained in template. Can it be that, mean if I remove it from template, then it will be a smooth inst ?

nb2.  w/o waiting for a reply i removed "get2by2host_copyright()", and now I'm installing the code.

So this case is closed.

[butchs]

Great job!!!

[Angelina Belle]

w/o waiting for a reply i removed "get2by2host_copyright()", and now I'm installing the code.

Good job figuring out what was causing your install to fail -- but removing the copyright notice from the theme may mean you have now violated the licensing agreement on the theme. You should check with the theme provider. 

Now that the install has completed successfully, you should be able to put that copyright notice back in, and get right with your theme's provider.

[teos55]

Sorry for missguiding.  I only removed the "get2by2host_copyright()" not the  "theme_copyright()". So the orijinal copyright is there
and FF is running in test mode., and will be for a while.

[NanoSector]

Sorry for missguiding.  I only removed the "get2by2host_copyright()" not the  "theme_copyright()". So the orijinal copyright is there
and FF is running in test mode., and will be for a while.

Still, the other part is copyright added by something, and needs to be intact to apply to the rules of that something.

Perhaps attach your index.template.php here so we can re-add it for you

[Kindred]

yoshi... you must not have readthe previous post...

nb1.  After some search,  it seems that "get2by2host_copyright()" comes from Twitter @anywhere.
  I removed it (the code from "global headers and footers while ago", but seems that code remained in template. Can it be that, mean if I remove it from template, then it will be a smooth inst ?

it was added by the twitter mod, which he removed...   but apparently the mod did not completely uninstall.
he's fine.