Blocked when loggin in

New Member Joined: Aug 17, 2004 Posts: 7

Some users of my website are automaticlly blocked when they try to login.
They do nothing more as normal login.

I receive the foillowing E-mail;
(I masked some details by xxxx for privacy reasons)

Date & Time: 2004-08-17 19:30:30
Blocked IP: 80.126.119.XXX
User ID: XXXXXXXXXX (xxx)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 80.126.119.XXX
Remote Port: 63856
Request Method: GET

I have no idea why this user is blocked, it says: Abuse-Filter
But what does it abuse?
He/she just normally logs in, he visits teh correctway my website and presses login, enter his username and password and clicks OK and the he gets blocked.
I turned of the blocking and just mailing only so he can normally log in.

What is happening here, is it a bug?!??!

Posted: Tue Aug 17, 2004 12:37 pm

Can you post the complete query string it could be something in that. cmd exe are examples that would not pass.

Posted: Tue Aug 17, 2004 12:45 pm

That is the complete string

The XXXXX is just the username, nothing more or less and I changed the url
I did not remove anything from thge query itself

But to be sure here it is: ( I changed my url)
[ Only registered users can see links on this board! Get registered or login! ]

This is the full query!

Posted: Tue Aug 17, 2004 12:46 pm

The username is what I was questioning.

Posted: Tue Aug 17, 2004 12:48 pm

The full query:
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Tue Aug 17, 2004 1:14 pm

Yep its the username cmd is setting it off You'll have to edit the check for cmd I'll work one out for ya and post it in a bit if no one else has.

Posted: Tue Aug 17, 2004 2:09 pm

Try this I didn't get a chance to test it but ...

Code:




Find:


// Check for XSS attack


  if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {


replace:


// Check for XSS attack


  if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring) AND !eregi("cmdr",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {

Be sure and test it like I said I didn't get a chance yet.