Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Sep 27, 2006 8:46 pm Reply with quote

Is there a way we can make our generic blocking strings more specific? That way we won't get so many false positives?

Can uni0n attacks be done without "uni0n select"?
Can sc ript code be allowed certain domains only.. say popular googlesyndication.com or a list the admin can add to?

Are there just certain things we need to keep... like http-ref, embed, etc off?

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Sep 27, 2006 8:57 pm Reply with quote

Maybe blocking strings could be more specific, but with a lot of effort in testing. And retesting. And then someone would find a way around it...

Haven't tried a uni0n delete or insert - not sure that's possible.

Limiting scr ipt to allowed remote domains is an interesting idea. Maybe you could do the same approach for embed, etc.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Thu Sep 28, 2006 5:35 am Reply with quote

Something Bob was talking about awhile back was also a way for the admin to add "exclusions" to the string blocker, in a similar fashion as we add new user agent strings for the Harvester Blocker, but it just works in the opposite manner.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Sep 28, 2006 11:08 am Reply with quote

union union union
script script script
alert alert alert

Confused
 
View user's profile Send private message
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Thu Sep 28, 2006 3:12 pm Reply with quote

The answer is yes. I replaced a good part of the string blocker in Evo because its not a good way to do it in my opinion. Here is what we are going to be using in v3 most likely. I have trimed some of the code from the class because its not done. But here is the jist of it.

Code:


define('REGEX_UNION','#\w?\s?union\s?\w*?\s?(select|all|distinct|insert|update|drop|delete)#is');
define('REGEX_XSS_HTML','#http:\/\/.*#is');
define('REGEX_XSS_DOT','#\.\/#i');
define('REGEX_STRIP_SPACES','/\s{1,}/');
define('REGEX_STRIP_COMMENTS','/\s?\/\s?\*\s*?\w*?\s*?\*\s?\/\s?/i');

class security {
   
    var $log = null;
   
/*-----------
    In:     N/A
    Out:    N/A
    Notes:  Constructor
  -----------*/
    function security() {
        global $cookie, $text;
       
        //Create a new log
        $this->log =& new log('security.log');
       
        //Run default security
        $this->_default();

    }

/*-----------
    Function:    sanitize()
    In:          $item
                     - Item to sanitize
                 $strip
                     - Strip Quotes (Default = false)
    Return:      Sanitized item
    Notes:       $s = preg_replace(REGEX_STRIP_SPACES, ' ', $s);
                     -Removes all the spaces beyond a single space
                 $s = preg_replace(REGEX_STRIP_COMMENTS, ' ', $s);
                     -Removes comments
                 $s = preg_replace(REGEX_FIX_UNION, ' UNION ', $s);
                     -Fixes the word union if is gets broken up

                 This will allow /%2a%2a/UN/%2a   %2a/ION to get changed to UNION
  -----------*/
    function sanitize($item, $strip=false) {
        if( empty($item)) {
            return '';
        }
        //If the item is an array
        if (is_array($item)) {
            $rebuilt = array();
            foreach($item as $key => $part) {
                //Uppercase, tranform html characters, and decode url
                $s = htmlspecialchars(urldecode(strtoupper($part)));
                //Fix strings
                $s = preg_replace(REGEX_STRIP_COMMENTS, ' ', $s);
                $s = preg_replace(REGEX_STRIP_SPACES, '', $s);
               //Strip quotes?
                if ($strip) {
                   //<--Fix
                   //$s = Fix_Quotes(stripslashes($s));
                }
                //Rebuild array
                $rebuilt[$key] = $s;
            }
            return $rebuilt;
        //If the item is not an array
        } else {
            //Uppercase, tranform html characters, and decode url
            $s = htmlspecialchars(strtoupper(urldecode($item)));
            //Fix string
            $s = preg_replace(REGEX_STRIP_COMMENTS, '', $s);
            $s = preg_replace(REGEX_STRIP_SPACES, '', $s);
            //Strip quotes?
            if($strip) {
               //<-- Fix
               //$s = Fix_Quotes(stripslashes($s));
            }
            //Return string
            return $s;
        }
    }
   
/*-----------
    In:     $username
                The username to set the ban to
    Out:    T/F
    Notes:  Changes the users banned field to true
  -----------*/

    function _set_ban($username) {
        global $db, $constants;
       
        if (empty($username) || !is_array($constants)) {
            return false;
        }
       
        $db->sql_query('UPDATE `'.$constants['tables']['users'].'` SET `banned`=1 WHERE `username`="'.$username.'"');       
       
        return true;
    }
   
   // taken from phpbb 3 will right a better function after i done the template class, using it becuase it secure the connection :)
   
   /*
   * Remove variables created by register_globals from the global scope
   * Thanks to Matt Kavanagh
   */
   function _unregister_globals()
   {
      $not_unset = array(
         'GLOBALS'   => true,
         '_GET'      => true,
         '_POST'      => true,
         '_COOKIE'   => true,
         '_REQUEST'   => true,
         '_SERVER'   => true,
         '_SESSION'   => true,
         '_ENV'      => true,
         '_FILES'   => true
      );
      
      // Not only will array_merge and array_keys give a warning if
      // a parameter is not an array, array_merge will actually fail.
      // So we check if _SESSION has been initialised.
      if (!isset($_SESSION) || !is_array($_SESSION))
      {
         $_SESSION = array();
      }
      
      // Merge all into one extremely huge array; unset this later
      $input = array_merge(
         array_keys($_GET),
         array_keys($_POST),
         array_keys($_COOKIE),
         array_keys($_SERVER),
         array_keys($_SESSION),
         array_keys($_ENV),
         array_keys($_FILES)
      );

      foreach ($input as $varname)
      {
         if (isset($not_unset[$varname]))
         {
            // Hacking attempt. No point in continuing.
            $this->exploit('register_globals', 'Register Globals');
         }
      
         unset($GLOBALS[$varname]);
      }
      
      unset($input);
   }
   
/*-----------
    In:     N/A
    Out:    N/A
    Notes:  Runs through some default security checks
  -----------*/
    function _default() {
       
       //DOS check
      if (empty($_SERVER['HTTP_USER_AGENT']) || $_SERVER['HTTP_USER_AGENT'] == '-' || !isset($_SERVER['HTTP_USER_AGENT'])) {
         die('DOS');
      }
      
      // If we are on PHP >= 6.0.0 we do not need some code (this could change so we keep close eye on php.net :)
      if (PHP6)
      {
         /**
         * @ignore
         */
         define('STRIP', false);
      }
      else
      {
         set_magic_quotes_runtime(0);
         
         // Be paranoid with passed vars
         if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
         {
            $this->_unregister_globals();
         }
         
         define('STRIP', (get_magic_quotes_gpc()) ? true : false);
      }
      
      //If there is a request string
      if(isset($_SERVER['QUERY_STRING'])) {
         //Sanitize the string
         $item = $this->sanitize($_SERVER['QUERY_STRING'], get_magic_quotes_gpc());
         //Check for XSS & UNION attacks
         if (preg_match(REGEX_XSS_DOT, $item)) {
            $this->exploit('XSS_DOT', 'XSS');
         }
         if (preg_match(REGEX_XSS_HTML, $item)) {
            $this->exploit('XSS_HTML', 'XSS');
         }
         if (preg_match(REGEX_UNION, $item)) {
            $this->exploit('UNION', 'UNION');
         }
      }
   }
}

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©