Advertisement:

Author Topic: GoDaddy mod_security  (Read 4660 times)

Offline Sir Osis of Liver

  • SMF Super Hero
  • *******
  • Posts: 10,949
  • We were all equal in the end.
GoDaddy mod_security
« on: May 31, 2016, 04:25:17 PM »
Did anyone ever come up with a fix for this?

Fatal error: require_once() [function.require]: Failed opening required '/home/content/43/12872143/html/forum/Sources/Subs-Auth.php' (include_path='.:/usr/local/php5_3/lib/php') in /home/content/43/12872143/html/forum/Sources/Security.php on line 543

Has it been addressed in 2.1?
“The best laid schemes o' mice an' men / Gang aft a-gley.” - Robert Burns

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 73,189
Re: GoDaddy mod_security
« Reply #1 on: May 31, 2016, 04:44:01 PM »
How can we resolve "the host removed the file because it tripped a really obscure, hard to diagnose security scan where it uses a function that malicious people use therefore it must be bad" problem?
No good deed goes unpunished
All helpful urges should be circumvented

Offline Sir Osis of Liver

  • SMF Super Hero
  • *******
  • Posts: 10,949
  • We were all equal in the end.
Re: GoDaddy mod_security
« Reply #2 on: May 31, 2016, 05:02:27 PM »
Wonder what they're scanning for.  File uploads, shows up for a fraction of a second, then disappears.  Forum owner will ask GD to disable it, don't know if they will.
“The best laid schemes o' mice an' men / Gang aft a-gley.” - Robert Burns

Offline Illori

  • Lead Support Specialist
  • SMF Legend
  • *
  • Posts: 52,866
Re: GoDaddy mod_security
« Reply #3 on: May 31, 2016, 05:03:44 PM »
if you upload the file with the file manager it will not disappear. we have tried to find out why files go missing but they dont tell us why.

Offline Sir Osis of Liver

  • SMF Super Hero
  • *******
  • Posts: 10,949
  • We were all equal in the end.
Re: GoDaddy mod_security
« Reply #4 on: May 31, 2016, 05:16:41 PM »
It's being triggered by this -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['search']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['search']));


“The best laid schemes o' mice an' men / Gang aft a-gley.” - Robert Burns

Offline Sir Osis of Liver

  • SMF Super Hero
  • *******
  • Posts: 10,949
  • We were all equal in the end.
Re: GoDaddy mod_security
« Reply #5 on: May 31, 2016, 05:30:23 PM »
if you upload the file with the file manager it will not disappear.

That works, thanks.  Forum is running.  Must be something specific to ftp server.
“The best laid schemes o' mice an' men / Gang aft a-gley.” - Robert Burns

Offline Sir Osis of Liver

  • SMF Super Hero
  • *******
  • Posts: 10,949
  • We were all equal in the end.
Re: GoDaddy mod_security
« Reply #6 on: June 01, 2016, 12:58:36 PM »
If you change this -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['search']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['search']));


to this -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['']));


Subs-Auth.php uploads normally.  If you put anything in the brackets in $_REQUEST[''] -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['test']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['test']));


it fails.

The third line in that code block -

Code: [Select]

$_REQUEST['search'] = strtr($_REQUEST['search'], array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_', '&' => '&'));


does not trigger the problem.

“The best laid schemes o' mice an' men / Gang aft a-gley.” - Robert Burns

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 73,189
Re: GoDaddy mod_security
« Reply #7 on: June 01, 2016, 01:40:45 PM »
WTF GoDaddy.
No good deed goes unpunished
All helpful urges should be circumvented

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: GoDaddy mod_security
« Reply #8 on: June 01, 2016, 11:59:25 PM »
I haven't notice this issue, using SSH.

Online vbgamer45

  • Customizer
  • SMF Super Hero
  • *
  • Posts: 23,476
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: GoDaddy mod_security
« Reply #9 on: September 15, 2019, 09:14:54 PM »
If you change this -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['search']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['search']));


to this -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['']));


Subs-Auth.php uploads normally.  If you put anything in the brackets in $_REQUEST[''] -

Code: [Select]

$_REQUEST['search'] = $smcFunc['htmlspecialchars']($_REQUEST['test']) . '*';
$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['test']));


it fails.

The third line in that code block -

Code: [Select]

$_REQUEST['search'] = strtr($_REQUEST['search'], array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_', '&' => '&'));


does not trigger the problem.



I ended up running into this I changed the code to make it more hidden
Code: [Select]
eval(base64_decode('JF9SRVFVRVNUWydzZWFyY2gnXSA9ICRzbWNGdW5jWydodG1sc3BlY2lhbGNoYXJzJ10oJF9SRVFVRVNUWydzZWFyY2gnXSkgLiAnKic7CgkkX1JFUVVFU1RbJ3NlYXJjaCddID0gdHJpbSgkc21jRnVuY1snc3RydG9sb3dlciddKCRfUkVRVUVTVFsnc2VhcmNoJ10pKTs='));

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 73,189
Re: GoDaddy mod_security
« Reply #10 on: September 16, 2019, 02:32:37 AM »
Suspect that will get flagged for looking like malware.
No good deed goes unpunished
All helpful urges should be circumvented

Online vbgamer45

  • Customizer
  • SMF Super Hero
  • *
  • Posts: 23,476
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: GoDaddy mod_security
« Reply #11 on: September 16, 2019, 09:03:23 AM »
I did it for one file. Then realized godaddy flagged also
Post.php
PersonalMessage.php
Subs-Auth.php
ModerationCenter.ph
Subs-Post.php
LogInOut.php
Subs-Editor.php
Register.php
Reminder.php

Then wrote a script to upload the file and that works. Seems like they just delete/scan the files on ftp upload..
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Project Manager
  • SMF Super Hero
  • *
  • Posts: 19,840
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • My Daily Dose Of Blasphemy
Re: GoDaddy mod_security
« Reply #12 on: September 16, 2019, 11:54:54 AM »
Yup, we've seen that alot. And always without exception the solution has been to upload the missing files using another method. Sucks, but that's how it is.
A Finnish Project Manager (Support Specialist)
Happily running multiple SMF 2.x installations.
 Fooling around with an i7-10700 @ 2,90GHz-4.80GHz / 16Gb / RTX-2070 Super / 3840x2160 / Win 10 x64


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Sir Osis of Liver

  • SMF Super Hero
  • *******
  • Posts: 10,949
  • We were all equal in the end.
Re: GoDaddy mod_security
« Reply #13 on: September 16, 2019, 12:43:51 PM »
Most files I've ever seen blocked was an even dozen, but hasn't happened recently.  GoDaddy has so many different server configurations, you never know what you're working with (neither do they).
“The best laid schemes o' mice an' men / Gang aft a-gley.” - Robert Burns