Continued:
- Friendica is known to me to be incompatible with ctracker

Continued:
- .gitattributes copied from other project

Continued:
- prevented more local variables and if/else blocks
- updated TODOs.txt

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- reduced local variables
- fixed SQL (ops!)

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- <require|include>[_once] are all 4 no functions, they are keywords

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- // END - foo was an old tradition, let's dump this
- also !function_exists('foo') was old here, the lib file should be loaded only
  once

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- tpzos fiexed

Signed-off-by: Roland Häder <roland@mxchange.org>

Continue:
- is already there!

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- more UTF-8
- added check_ua

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- addslashes() is really nothing, better htmlentities()

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- added convertion to UTF-8

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- should be "AND"

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- should be behind remote_addr

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- added spam_bot_dectections field to allow counting spambot attacks

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- changed all <?php print foo; ?> to <?= foo; ?>
- added hidden anti-spam field as I'm done with these spammers
  abusing my well-intended email form
- also included a message to those spammers

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- ignore any console request

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- maybe lame but those statements shall never happen in a user-agent string

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- added a few strings that are uncommon in URLs and should not be allowed:
  + urlencode() is a PHP function
  + invokefunction should not be possible from remote

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- blocked %systemroot% (search is case-insensitive)

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- ops, UA blacklist was double initialized?!
- added set_time_limit() PHP function for being blocked, should never be done
  over GET or UA string

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- blocked information_schema as this is an internal MySQL/MariaDB table

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- "=passthru" is also a strange/uncommon name for actions, modules, et cetera
- also it is a PHP command for executing commands ...

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- added "vuln.php" which seem to be a remote-inclusion attack

Continued:
- uh, last commit was UA, now POST data
- moved out server-config related to own "category"
- added application/x-httpd-php as this is not ment to be placed in URL, UA
  and POST data

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- moved Windows-related strings to own "category"
- added system.net.webclient and powershell, both not wanted in URLs
- ... and POST data as well

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- call_user_func(_array) does never belong into URLs, if your script requires
  this, please reconsider the security implications!

Signed-off-by: Roland Häder <roland@mxchange.org>

Continued:
- added "AddType" which has been recently used in a code-injection attack

Signed-off-by: Roland Häder <roland@mxchange.org>

Also __CALLBACKPARAM needs blocking

Signed-off-by: Roland Häder <roland@mxchange.org>

Checking against GET parameters is for the user-agent string not possible as
ordinary UAs may get blocked.

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Continued:
- replace old array() style with []
- really no need for array keys as they are auto-generated anyway

Continued:
- let's also include request method in mails
- ops, also need to distinguish between different request methods but with same remaining data

CRLF->LF

Signed-off-by: Roland Häder <roland@mxchange.org>

Merge branch 'master' of mx:/var/cache/git/repos/ctracker

Continued:
- banned suhosin entirely from GET parameters (makes really no sense)
- also banned some other php.ini settings

Continued:
- added INSERT_RANDOM_NUMBER_HERE, typical for incompletely configured OpenX/revive Ad Server
- changed to "new" array style
- renamed ctracker_blocked_requests -> ctracker_blocked_methods as they are the
  request methods that should always be blocked
- updated .gitattributes

project name set

Signed-off-by: Roland Häder <roland@mxchange.org>

updated (c)

Signed-off-by: Roland Häder <roland@mxchange.org>

It is okay to have this NetBeans project around + ignored private data

Signed-off-by: Roland Häder <roland@mxchange.org>

MantisBT need these being white-listed.

Signed-off-by: Roland Häder <roland@mxchange.org>

Must be id to have NULL counted, too.

Signed-off-by: Roland Häder <roland@mxchange.org>

Added view for request methods

Signed-off-by: Roland Häder <roland@mxchange.org>

Added "detection" of open_basedir and php:// protocol:
- common way to inject php.ini settings which overrides them and then try to
  inject external code (remote inclusion)
- don't do such things as http://host.example/script.php?bla=php://input

Signed-off-by: Roland Häder <roland@mxchange.org>

Fixed parser error

Signed-off-by: Roland Häder <roland@mxchange.org>

Sorted a bit + removed '.js' as this was to much and kicked out .json, too.

Signed-off-by: Roland Häder <roland@mxchange.org>

Some fixes:
- also check REQUEST_URI array element as QUERY_STRING may not be always set
- only sanitize when string is not empty

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Also block request methods such as CONNECT as they can be used for proxying
(means "hiding") other requests such as SMTP (spam) or POP3 (people try to read
their mails but wasting your bandwidth).

Signed-off-by: Roland Häder <roland@mxchange.org>

Also __CALLBACKPARAM needs blocking

Signed-off-by: Roland Häder <roland@mxchange.org>

Checking against GET parameters is for the user-agent string not possible as
ordinary UAs may get blocked.

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Only for testing purposes the string is being sanitized, else http:// becomes http:/ and cannot be compared with http:// anymore

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Updated database

Signed-off-by: Roland Häder <roland@mxchange.org>

Renaming season has started:
- renamed $F -> $function
- renamed $L -> $line
- renamed $SQL -> $sqlString
- added type-hint for arrays

Signed-off-by: Roland Häder <roland@mxchange.org>

Sanitize request strings (also serialized POST data) from trickery like '//'
and '/./' where the attacker tries to circumvent checks.

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Continued:
- esystem is, well, system is better to look for
- block content-type header-insertion

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Continued improving:
- introduced crackerTrackerRequestMethod() to encapsulate $_SERVER['REQUEST_METHOD'] retrival
- this allows the script being used on console now
- check also user-agent string for bad occurrences (difference not yet logged)

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Updated a lot:
- fixed domain as the one with dash is gone
- loading config is now done correctly after general array is being initialized
- fixed loading of header template

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

Index on count column to improve SUM queries

Signed-off-by: Roland Häder <roland@mxchange.org>

This column should be after remote_addr to have both side by side

Signed-off-by: Roland Häder <roland@mxchange.org>

Can be combined and makes code look nicer.

Signed-off-by: Roland Häder <roland@mxchange.org>

Added MySQL internal-use-only function

Signed-off-by: Roland Häder <roland@mxchange.org>

Also log request method

Signed-off-by: Roland Häder <roland@mxchange.org>

One to much ...

Signed-off-by: Roland Häder <roland@mxchange.org>

More PHP function calls (I don't like such RPCs) blocked

Signed-off-by: Roland Häder <roland@mxchange.org>

Added .gitattributes

Signed-off-by: Roland Häder <roland@mxchange.org>

Opps ...

Signed-off-by: Roland Häder <roland@mxchange.org>

Rewrote to MySQLi

Signed-off-by: Roland Häder <roland@mxchange.org>

Fixed

Signed-off-by: Roland Häder <haeder@hmmdeutschland.de>

Added proc/self/environ

Signed-off-by: Roland Häder <roland@mxchange.org>

Added 'safe_mode' (php.ini setting).

Signed-off-by: Roland Häder <roland@mxchange.org>

Don't continue if the cookie has been set + ticket has created. 'unknown' was found as IP address.

Signed-off-by: Roland Häder <roland@mxchange.org>

Added some php.ini settings to block

Opps, did forget the fetch :(

No more ORDER BY required, cool.

Added index + optimized query

Reverted removal, maybe now working?

Opps :(

:( Not good enough

Added logging/detection of proxy IP address

server_name and script_name can now be NULL and set all empty strings to NULL, added %3E%3C (><) which indicates an attempt to insert a HTML link into a badly secured URL

%20 was to much here

Just '/group' was to restrictive (e.g. breaks StatusNet)

Added 'Autocomplete' as known-incompatible plugin

Updated TODOs.txt

Fix for parser error :(

Resorted almost all pattern checks + used more single-quotes than double

Wrappers like data://, tcp:// et cetera now blacklisted

Use constants instead of keywords

Fixes (opps) for bad check, blocked all

Experimental commit:
decode URL before checking to avoid something like this: q=%2FopenFooBar which
would be converted to q=%2fopenfoobar and then blocked as 'fopen' is then found.

This happens with StatusNet 1.1.1

Added incompatible notice

Excluded secure_session=1 from mantis

Now use str_ireplace()

Better use this?

Extended is correct

Remove even more

unsetCtrackerData() introduced

Docu updated, detection array resorted a little

Blocked also %27 (')

Detection of attempt of SQL injections added

Taken care of possible missing elements

'cmd=' broke to many legtime requests, cmd.exe should kill Windozer attacks a little more