Sanitize request strings (also serialized POST data) from trickery like '//'

[ctracker.git] / libs / lib_detector.php

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index 5ed9917842e8886f5390ce17cfb0c246078fb631..a59ae07a0cb6e6618fc558c38bd47913196f451c 100644 (file)
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -73,7 +73,7 @@ function initCrackerTrackerArrays () {
                // Other Linux programs (+ brace)
                'locate(', 'grep(', 'kill(', 'mcd(', 'mrd(', 'rm(', 'mv(', 'rmdir(',
                'chmod(', 'chmod(', 'chown(', 'chgrp(', 'passwd(', 'vi(', 'cp(',
-               'mdir(', 'esystem(', 'chr(', 'wget(', 'rush(', 'echr(',
+               'mdir(', 'system(', 'chr(', 'wget(', 'rush(', 'echr(',
 
                // Other Linux programs (+ equal)
                'mcd=', 'mrd=', 'chmod=', 'chr=', 'rush=', 'echr=',
@@ -135,6 +135,9 @@ function initCrackerTrackerArrays () {
                // Attempts to insert links into a badly secured URL
                '%3E%3C',
 
+               // Request header being inserted
+               'content-type',
+
                // /proc/ and other forbidden paths
                'proc/self/environ',
 
@@ -170,8 +173,8 @@ function initCrackerTrackerArrays () {
 // Checks for worms
 function isCrackerTrackerWormDetected () {
        // Check against the whole list
-       $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
-       $GLOBALS['ctracker_checked_ua']  = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent()));
+       $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerQueryString())));
+       $GLOBALS['ctracker_checked_ua']  = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerUserAgent())));
 
        /*
         * If it differs to original and the *whole* request string is not in
@@ -196,7 +199,7 @@ function isCrackerTrackerPostAttackDetected () {
        $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST));
 
        // Check for suspicious POST data
-       $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']));
+       $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), $GLOBALS['ctracker_post_track'])));
 
        // Is it detected?
        return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track']));