// Other Linux programs (+ brace)
'locate(', 'grep(', 'kill(', 'mcd(', 'mrd(', 'rm(', 'mv(', 'rmdir(',
'chmod(', 'chmod(', 'chown(', 'chgrp(', 'passwd(', 'vi(', 'cp(',
- 'mdir(', 'esystem(', 'chr(', 'wget(', 'rush(', 'echr(',
+ 'mdir(', 'system(', 'chr(', 'wget(', 'rush(', 'echr(',
// Other Linux programs (+ equal)
'mcd=', 'mrd=', 'chmod=', 'chr=', 'rush=', 'echr=',
// Attempts to insert links into a badly secured URL
'%3E%3C',
+ // Request header being inserted
+ 'content-type',
+
// /proc/ and other forbidden paths
'proc/self/environ',
// Checks for worms
function isCrackerTrackerWormDetected () {
// Check against the whole list
- $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
- $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent()));
+ $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerQueryString())));
+ $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerUserAgent())));
/*
* If it differs to original and the *whole* request string is not in
$GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST));
// Check for suspicious POST data
- $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']));
+ $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), $GLOBALS['ctracker_post_track'])));
// Is it detected?
return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track']));