]>
git.mxchange.org Git - ctracker.git/log
Roland Häder [Tue, 28 Aug 2018 07:41:14 +0000 (09:41 +0200)]
Merge branch 'master' of mx:/var/cache/git/repos/ctracker
Roland Häder [Wed, 22 Aug 2018 18:28:29 +0000 (20:28 +0200)]
Continued:
- banned suhosin entirely from GET parameters (makes really no sense)
- also banned some other php.ini settings
Roland Häder [Wed, 22 Aug 2018 18:19:44 +0000 (20:19 +0200)]
Continued:
- added INSERT_RANDOM_NUMBER_HERE, typical for incompletely configured OpenX/revive Ad Server
- changed to "new" array style
- renamed ctracker_blocked_requests -> ctracker_blocked_methods as they are the
request methods that should always be blocked
- updated .gitattributes
Roland Häder [Tue, 18 Jul 2017 15:56:21 +0000 (17:56 +0200)]
project name set
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Tue, 18 Jul 2017 15:55:36 +0000 (17:55 +0200)]
updated (c)
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Tue, 18 Jul 2017 15:51:36 +0000 (17:51 +0200)]
It is okay to have this NetBeans project around + ignored private data
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Fri, 23 Sep 2016 15:14:27 +0000 (17:14 +0200)]
MantisBT need these being white-listed.
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Wed, 31 Aug 2016 07:17:27 +0000 (09:17 +0200)]
Must be id to have NULL counted, too.
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Wed, 31 Aug 2016 07:11:18 +0000 (09:11 +0200)]
Added view for request methods
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Tue, 30 Aug 2016 07:04:17 +0000 (09:04 +0200)]
Added "detection" of open_basedir and php:// protocol:
- common way to inject php.ini settings which overrides them and then try to
inject external code (remote inclusion)
- don't do such things as http://host.example/script.php?bla=php://input
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Mon, 22 Aug 2016 08:58:54 +0000 (10:58 +0200)]
Fixed parser error
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Mon, 22 Aug 2016 07:52:19 +0000 (09:52 +0200)]
Sorted a bit + removed '.js' as this was to much and kicked out .json, too.
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Wed, 10 Aug 2016 07:47:09 +0000 (09:47 +0200)]
Some fixes:
- also check REQUEST_URI array element as QUERY_STRING may not be always set
- only sanitize when string is not empty
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Fri, 5 Aug 2016 08:58:46 +0000 (10:58 +0200)]
Also block request methods such as CONNECT as they can be used for proxying
(means "hiding") other requests such as SMTP (spam) or POP3 (people try to read
their mails but wasting your bandwidth).
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Thu, 28 Jul 2016 11:00:39 +0000 (13:00 +0200)]
Also __CALLBACKPARAM needs blocking
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Thu, 28 Jul 2016 10:57:49 +0000 (12:57 +0200)]
Checking against GET parameters is for the user-agent string not possible as
ordinary UAs may get blocked.
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Thu, 28 Jul 2016 09:53:13 +0000 (11:53 +0200)]
Only for testing purposes the string is being sanitized, else http:// becomes http:/ and cannot be compared with http:// anymore
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Thu, 28 Jul 2016 08:21:46 +0000 (10:21 +0200)]
Updated database
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Thu, 28 Jul 2016 08:18:13 +0000 (10:18 +0200)]
Renaming season has started:
- renamed $F -> $function
- renamed $L -> $line
- renamed $SQL -> $sqlString
- added type-hint for arrays
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Thu, 28 Jul 2016 08:02:50 +0000 (10:02 +0200)]
Sanitize request strings (also serialized POST data) from trickery like '//'
and '/./' where the attacker tries to circumvent checks.
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Thu, 28 Jul 2016 07:57:30 +0000 (09:57 +0200)]
Continued:
- esystem is, well, system is better to look for
- block content-type header-insertion
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Thu, 28 Jul 2016 07:50:24 +0000 (09:50 +0200)]
Continued improving:
- introduced crackerTrackerRequestMethod() to encapsulate $_SERVER['REQUEST_METHOD'] retrival
- this allows the script being used on console now
- check also user-agent string for bad occurrences (difference not yet logged)
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Wed, 27 Jul 2016 08:35:57 +0000 (10:35 +0200)]
Updated a lot:
- fixed domain as the one with dash is gone
- loading config is now done correctly after general array is being initialized
- fixed loading of header template
Signed-off-by: Roland Häder <rhaeder@cho-time.de>
Roland Häder [Tue, 26 Jul 2016 08:11:57 +0000 (10:11 +0200)]
Index on count column to improve SUM queries
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Tue, 26 Jul 2016 07:55:32 +0000 (09:55 +0200)]
This column should be after remote_addr to have both side by side
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Tue, 26 Jul 2016 07:35:00 +0000 (09:35 +0200)]
Can be combined and makes code look nicer.
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Mon, 25 Jul 2016 09:15:57 +0000 (11:15 +0200)]
Added MySQL internal-use-only function
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Mon, 25 Jul 2016 07:59:45 +0000 (09:59 +0200)]
Also log request method
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Wed, 20 Jul 2016 08:40:11 +0000 (10:40 +0200)]
One to much ...
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Wed, 20 Jul 2016 08:26:41 +0000 (10:26 +0200)]
More PHP function calls (I don't like such RPCs) blocked
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 13 Feb 2016 20:56:17 +0000 (21:56 +0100)]
Added .gitattributes
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 12 Sep 2015 21:38:08 +0000 (23:38 +0200)]
Opps ...
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 12 Sep 2015 21:36:46 +0000 (23:36 +0200)]
Rewrote to MySQLi
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Häder [Mon, 3 Nov 2014 09:53:26 +0000 (10:53 +0100)]
Fixed
Signed-off-by: Roland Häder <haeder@hmmdeutschland.de>
Roland Haeder [Sat, 1 Nov 2014 11:05:59 +0000 (12:05 +0100)]
Added proc/self/environ
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 1 Nov 2014 10:46:41 +0000 (11:46 +0100)]
Added 'safe_mode' (php.ini setting).
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 1 Nov 2014 10:30:26 +0000 (11:30 +0100)]
Don't continue if the cookie has been set + ticket has created. 'unknown' was found as IP address.
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Fri, 18 Oct 2013 20:29:05 +0000 (20:29 +0000)]
Added some php.ini settings to block
Roland Haeder [Mon, 12 Aug 2013 18:45:59 +0000 (18:45 +0000)]
Opps, did forget the fetch :(
Roland Haeder [Mon, 12 Aug 2013 18:38:24 +0000 (18:38 +0000)]
No more ORDER BY required, cool.
Roland Haeder [Mon, 12 Aug 2013 18:20:27 +0000 (18:20 +0000)]
Added index + optimized query
Roland Haeder [Sun, 11 Aug 2013 12:32:43 +0000 (12:32 +0000)]
Reverted removal, maybe now working?
Roland Haeder [Sun, 11 Aug 2013 12:23:57 +0000 (12:23 +0000)]
Opps :(
Roland Haeder [Sun, 11 Aug 2013 12:17:01 +0000 (12:17 +0000)]
:( Not good enough
Roland Haeder [Sun, 11 Aug 2013 12:15:49 +0000 (12:15 +0000)]
Added logging/detection of proxy IP address
Roland Haeder [Sun, 11 Aug 2013 12:02:25 +0000 (12:02 +0000)]
server_name and script_name can now be NULL and set all empty strings to NULL, added %3E%3C (><) which indicates an attempt to insert a HTML link into a badly secured URL
Roland Haeder [Fri, 9 Aug 2013 18:25:05 +0000 (18:25 +0000)]
%20 was to much here
Roland Haeder [Fri, 26 Jul 2013 19:22:10 +0000 (19:22 +0000)]
Just '/group' was to restrictive (e.g. breaks StatusNet)
Roland Haeder [Thu, 25 Jul 2013 04:43:40 +0000 (04:43 +0000)]
Added 'Autocomplete' as known-incompatible plugin
Roland Haeder [Sat, 20 Jul 2013 14:42:37 +0000 (14:42 +0000)]
Updated TODOs.txt
Roland Haeder [Sat, 20 Jul 2013 14:24:44 +0000 (14:24 +0000)]
Fix for parser error :(
Roland Haeder [Sat, 20 Jul 2013 14:24:06 +0000 (14:24 +0000)]
Resorted almost all pattern checks + used more single-quotes than double
Roland Haeder [Sat, 20 Jul 2013 13:30:14 +0000 (13:30 +0000)]
Wrappers like data://, tcp:// et cetera now blacklisted
Roland Haeder [Sat, 20 Jul 2013 13:07:03 +0000 (13:07 +0000)]
Use constants instead of keywords
Roland Haeder [Thu, 18 Jul 2013 00:53:17 +0000 (00:53 +0000)]
Fixes (opps) for bad check, blocked all
Roland Haeder [Thu, 18 Jul 2013 00:07:58 +0000 (00:07 +0000)]
Experimental commit:
decode URL before checking to avoid something like this: q=%2FopenFooBar which
would be converted to q=%2fopenfoobar and then blocked as 'fopen' is then found.
This happens with StatusNet 1.1.1
Roland Haeder [Thu, 27 Jun 2013 20:22:57 +0000 (20:22 +0000)]
Added incompatible notice
Roland Haeder [Tue, 4 Jun 2013 13:57:14 +0000 (13:57 +0000)]
Excluded secure_session=1 from mantis
Roland Haeder [Thu, 18 Apr 2013 22:00:32 +0000 (22:00 +0000)]
Now use str_ireplace()
Roland Haeder [Sat, 30 Mar 2013 06:01:32 +0000 (06:01 +0000)]
Better use this?
Roland Haeder [Mon, 11 Mar 2013 23:04:23 +0000 (23:04 +0000)]
Extended is correct
Roland Haeder [Tue, 26 Feb 2013 22:08:17 +0000 (22:08 +0000)]
Remove even more
Roland Haeder [Tue, 26 Feb 2013 21:46:56 +0000 (21:46 +0000)]
unsetCtrackerData() introduced
Roland Haeder [Thu, 20 Dec 2012 20:46:07 +0000 (20:46 +0000)]
Docu updated, detection array resorted a little
Roland Haeder [Wed, 24 Oct 2012 22:46:51 +0000 (22:46 +0000)]
Blocked also %27 (')
Roland Haeder [Wed, 24 Oct 2012 22:16:00 +0000 (22:16 +0000)]
Detection of attempt of SQL injections added
Roland Haeder [Sat, 29 Sep 2012 22:06:08 +0000 (22:06 +0000)]
Taken care of possible missing elements
Roland Haeder [Tue, 27 Sep 2011 18:27:44 +0000 (18:27 +0000)]
'cmd=' broke to many legtime requests, cmd.exe should kill Windozer attacks a little more
Roland Haeder [Wed, 14 Sep 2011 10:59:31 +0000 (10:59 +0000)]
.pl harms also legitime requests
Roland Haeder [Sat, 27 Aug 2011 23:10:59 +0000 (23:10 +0000)]
Now all forms of '0x' are detected
Roland Haeder [Sat, 27 Aug 2011 23:05:40 +0000 (23:05 +0000)]
DOCUMENT_ROOT and _SERVER added (avoid these things please)
Roland Haeder [Fri, 29 Jul 2011 09:43:07 +0000 (09:43 +0000)]
Block also these
Roland Haeder [Fri, 29 Jul 2011 05:18:51 +0000 (05:18 +0000)]
init also this
Roland Haeder [Fri, 29 Jul 2011 05:05:41 +0000 (05:05 +0000)]
Fix for missing 'ctracker_post_track'
Roland Haeder [Fri, 24 Jun 2011 12:47:17 +0000 (12:47 +0000)]
Detection of hexa-decimal encoded (0xXXXXX) strings added
Roland Haeder [Wed, 20 Apr 2011 04:55:37 +0000 (04:55 +0000)]
svn:eol-style set to 'native'
Roland Haeder [Sun, 10 Apr 2011 21:03:41 +0000 (21:03 +0000)]
Duplicate entries removed, typo fixed
Roland Haeder [Sun, 6 Mar 2011 11:29:30 +0000 (11:29 +0000)]
Copyright updated
Roland Haeder [Sun, 6 Mar 2011 11:28:32 +0000 (11:28 +0000)]
Some obsolete comment removed
Roland Haeder [Wed, 9 Feb 2011 14:19:14 +0000 (14:19 +0000)]
Fixed error reporting for debug mode
Roland Haeder [Fri, 26 Nov 2010 15:30:03 +0000 (15:30 +0000)]
Default value of 'count' needs to be 1
Roland Haeder [Tue, 5 Oct 2010 11:43:54 +0000 (11:43 +0000)]
Configuration entry 'ctracker_debug' renamed to 'ctracker_debug_enabled' to make clear this is a boolean config
Roland Haeder [Thu, 23 Sep 2010 12:09:23 +0000 (12:09 +0000)]
Some code blocks moved, detection of '..//' added, user-agent is now securely used
Roland Haeder [Tue, 14 Sep 2010 14:19:35 +0000 (14:19 +0000)]
SVN properties globally set
Roland Haeder [Fri, 20 Aug 2010 08:27:38 +0000 (08:27 +0000)]
'Based on' added, /proc/ will now be detected, do not use it in your scripts
Roland Haeder [Sun, 18 Jul 2010 12:03:51 +0000 (12:03 +0000)]
Fixes for missing config if no database link is provided
Roland Haeder [Thu, 8 Jul 2010 22:19:09 +0000 (22:19 +0000)]
TODOs.txt updated ...
Roland Haeder [Thu, 8 Jul 2010 21:50:51 +0000 (21:50 +0000)]
Documentation does now make a notice about database-less operations
Roland Haeder [Thu, 8 Jul 2010 21:47:56 +0000 (21:47 +0000)]
Updated to allow database-less operation
Roland Haeder [Sun, 20 Jun 2010 16:10:13 +0000 (16:10 +0000)]
Renamed
Roland Haeder [Sun, 16 May 2010 02:20:40 +0000 (02:20 +0000)]
Log of first attempt fixed
Roland Haeder [Sun, 16 May 2010 02:17:39 +0000 (02:17 +0000)]
Fix
Roland Haeder [Sat, 15 May 2010 07:37:33 +0000 (07:37 +0000)]
This should also not be used in URLs
Roland Haeder [Tue, 11 May 2010 09:19:49 +0000 (09:19 +0000)]
Missing form elements handled
Roland Häder [Tue, 11 May 2010 08:17:41 +0000 (08:17 +0000)]
Fix #4 from root...
Roland Haeder [Tue, 11 May 2010 08:12:54 +0000 (08:12 +0000)]
Fix #3
Roland Haeder [Tue, 11 May 2010 08:10:56 +0000 (08:10 +0000)]
Fix #2
Roland Haeder [Tue, 11 May 2010 08:09:48 +0000 (08:09 +0000)]
Fixes... :(
Roland Haeder [Tue, 11 May 2010 07:58:56 +0000 (07:58 +0000)]
Complete rewrite:
- Very simple and basic template system (HTML and email) added
- Templates are language-dependent or indepented, this depends on if you call
crackerTrackerLoadTemplate() or crackerTrackerLoadLocalizedTemplate()
- Email templates are always language-depenent... :-)
- Flexible database auto-update added (please just call your secured script
normally!)
- Language sub-system added (German and English language is complete)
- Suport ticket added which gives your users, if his IP has recent malicious
activities on the secured server, a support ticket form where they can request
help. After the form is sent, the user can fully disable that warning. This is
done by the script sends him a cookie with his ticket id.
- This support ticket system can be switched off and a little configured in
the database table 'ctracker_config'. You can currently change the following
values there:
+ Minimum random delay in seconds (default: 10 seconds)
+ Maximum random delay in seconds (default: 30 seconds)
+ Wether the support ticket system is on/off (default: on)
+ Which language you prefer to read (default: en)
- README updated
Roland Haeder [Tue, 4 May 2010 18:31:12 +0000 (18:31 +0000)]
Added more flexible options