]>
git.mxchange.org Git - ctracker.git/log
summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Roland Haeder [Sat, 1 Nov 2014 11:05:59 +0000 (12:05 +0100)]
Added proc/self/environ
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 1 Nov 2014 10:46:41 +0000 (11:46 +0100)]
Added 'safe_mode' (php.ini setting).
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Sat, 1 Nov 2014 10:30:26 +0000 (11:30 +0100)]
Don't continue if the cookie has been set + ticket has created. 'unknown' was found as IP address.
Signed-off-by: Roland Häder <roland@mxchange.org>
Roland Haeder [Fri, 18 Oct 2013 20:29:05 +0000 (20:29 +0000)]
Added some php.ini settings to block
Roland Haeder [Mon, 12 Aug 2013 18:45:59 +0000 (18:45 +0000)]
Opps, did forget the fetch :(
Roland Haeder [Mon, 12 Aug 2013 18:38:24 +0000 (18:38 +0000)]
No more ORDER BY required, cool.
Roland Haeder [Mon, 12 Aug 2013 18:20:27 +0000 (18:20 +0000)]
Added index + optimized query
Roland Haeder [Sun, 11 Aug 2013 12:32:43 +0000 (12:32 +0000)]
Reverted removal, maybe now working?
Roland Haeder [Sun, 11 Aug 2013 12:23:57 +0000 (12:23 +0000)]
Opps :(
Roland Haeder [Sun, 11 Aug 2013 12:17:01 +0000 (12:17 +0000)]
:( Not good enough
Roland Haeder [Sun, 11 Aug 2013 12:15:49 +0000 (12:15 +0000)]
Added logging/detection of proxy IP address
Roland Haeder [Sun, 11 Aug 2013 12:02:25 +0000 (12:02 +0000)]
server_name and script_name can now be NULL and set all empty strings to NULL, added %3E%3C (><) which indicates an attempt to insert a HTML link into a badly secured URL
Roland Haeder [Fri, 9 Aug 2013 18:25:05 +0000 (18:25 +0000)]
%20 was to much here
Roland Haeder [Fri, 26 Jul 2013 19:22:10 +0000 (19:22 +0000)]
Just '/group' was to restrictive (e.g. breaks StatusNet)
Roland Haeder [Thu, 25 Jul 2013 04:43:40 +0000 (04:43 +0000)]
Added 'Autocomplete' as known-incompatible plugin
Roland Haeder [Sat, 20 Jul 2013 14:42:37 +0000 (14:42 +0000)]
Updated TODOs.txt
Roland Haeder [Sat, 20 Jul 2013 14:24:44 +0000 (14:24 +0000)]
Fix for parser error :(
Roland Haeder [Sat, 20 Jul 2013 14:24:06 +0000 (14:24 +0000)]
Resorted almost all pattern checks + used more single-quotes than double
Roland Haeder [Sat, 20 Jul 2013 13:30:14 +0000 (13:30 +0000)]
Wrappers like data://, tcp:// et cetera now blacklisted
Roland Haeder [Sat, 20 Jul 2013 13:07:03 +0000 (13:07 +0000)]
Use constants instead of keywords
Roland Haeder [Thu, 18 Jul 2013 00:53:17 +0000 (00:53 +0000)]
Fixes (opps) for bad check, blocked all
Roland Haeder [Thu, 18 Jul 2013 00:07:58 +0000 (00:07 +0000)]
Experimental commit:
decode URL before checking to avoid something like this: q=%2FopenFooBar which
would be converted to q=%2fopenfoobar and then blocked as 'fopen' is then found.
This happens with StatusNet 1.1.1
Roland Haeder [Thu, 27 Jun 2013 20:22:57 +0000 (20:22 +0000)]
Added incompatible notice
Roland Haeder [Tue, 4 Jun 2013 13:57:14 +0000 (13:57 +0000)]
Excluded secure_session=1 from mantis
Roland Haeder [Thu, 18 Apr 2013 22:00:32 +0000 (22:00 +0000)]
Now use str_ireplace()
Roland Haeder [Sat, 30 Mar 2013 06:01:32 +0000 (06:01 +0000)]
Better use this?
Roland Haeder [Mon, 11 Mar 2013 23:04:23 +0000 (23:04 +0000)]
Extended is correct
Roland Haeder [Tue, 26 Feb 2013 22:08:17 +0000 (22:08 +0000)]
Remove even more
Roland Haeder [Tue, 26 Feb 2013 21:46:56 +0000 (21:46 +0000)]
unsetCtrackerData() introduced
Roland Haeder [Thu, 20 Dec 2012 20:46:07 +0000 (20:46 +0000)]
Docu updated, detection array resorted a little
Roland Haeder [Wed, 24 Oct 2012 22:46:51 +0000 (22:46 +0000)]
Blocked also %27 (')
Roland Haeder [Wed, 24 Oct 2012 22:16:00 +0000 (22:16 +0000)]
Detection of attempt of SQL injections added
Roland Haeder [Sat, 29 Sep 2012 22:06:08 +0000 (22:06 +0000)]
Taken care of possible missing elements
Roland Haeder [Tue, 27 Sep 2011 18:27:44 +0000 (18:27 +0000)]
'cmd=' broke to many legtime requests, cmd.exe should kill Windozer attacks a little more
Roland Haeder [Wed, 14 Sep 2011 10:59:31 +0000 (10:59 +0000)]
.pl harms also legitime requests
Roland Haeder [Sat, 27 Aug 2011 23:10:59 +0000 (23:10 +0000)]
Now all forms of '0x' are detected
Roland Haeder [Sat, 27 Aug 2011 23:05:40 +0000 (23:05 +0000)]
DOCUMENT_ROOT and _SERVER added (avoid these things please)
Roland Haeder [Fri, 29 Jul 2011 09:43:07 +0000 (09:43 +0000)]
Block also these
Roland Haeder [Fri, 29 Jul 2011 05:18:51 +0000 (05:18 +0000)]
init also this
Roland Haeder [Fri, 29 Jul 2011 05:05:41 +0000 (05:05 +0000)]
Fix for missing 'ctracker_post_track'
Roland Haeder [Fri, 24 Jun 2011 12:47:17 +0000 (12:47 +0000)]
Detection of hexa-decimal encoded (0xXXXXX) strings added
Roland Haeder [Wed, 20 Apr 2011 04:55:37 +0000 (04:55 +0000)]
svn:eol-style set to 'native'
Roland Haeder [Sun, 10 Apr 2011 21:03:41 +0000 (21:03 +0000)]
Duplicate entries removed, typo fixed
Roland Haeder [Sun, 6 Mar 2011 11:29:30 +0000 (11:29 +0000)]
Copyright updated
Roland Haeder [Sun, 6 Mar 2011 11:28:32 +0000 (11:28 +0000)]
Some obsolete comment removed
Roland Haeder [Wed, 9 Feb 2011 14:19:14 +0000 (14:19 +0000)]
Fixed error reporting for debug mode
Roland Haeder [Fri, 26 Nov 2010 15:30:03 +0000 (15:30 +0000)]
Default value of 'count' needs to be 1
Roland Haeder [Tue, 5 Oct 2010 11:43:54 +0000 (11:43 +0000)]
Configuration entry 'ctracker_debug' renamed to 'ctracker_debug_enabled' to make clear this is a boolean config
Roland Haeder [Thu, 23 Sep 2010 12:09:23 +0000 (12:09 +0000)]
Some code blocks moved, detection of '..//' added, user-agent is now securely used
Roland Haeder [Tue, 14 Sep 2010 14:19:35 +0000 (14:19 +0000)]
SVN properties globally set
Roland Haeder [Fri, 20 Aug 2010 08:27:38 +0000 (08:27 +0000)]
'Based on' added, /proc/ will now be detected, do not use it in your scripts
Roland Haeder [Sun, 18 Jul 2010 12:03:51 +0000 (12:03 +0000)]
Fixes for missing config if no database link is provided
Roland Haeder [Thu, 8 Jul 2010 22:19:09 +0000 (22:19 +0000)]
TODOs.txt updated ...
Roland Haeder [Thu, 8 Jul 2010 21:50:51 +0000 (21:50 +0000)]
Documentation does now make a notice about database-less operations
Roland Haeder [Thu, 8 Jul 2010 21:47:56 +0000 (21:47 +0000)]
Updated to allow database-less operation
Roland Haeder [Sun, 20 Jun 2010 16:10:13 +0000 (16:10 +0000)]
Renamed
Roland Haeder [Sun, 16 May 2010 02:20:40 +0000 (02:20 +0000)]
Log of first attempt fixed
Roland Haeder [Sun, 16 May 2010 02:17:39 +0000 (02:17 +0000)]
Fix
Roland Haeder [Sat, 15 May 2010 07:37:33 +0000 (07:37 +0000)]
This should also not be used in URLs
Roland Haeder [Tue, 11 May 2010 09:19:49 +0000 (09:19 +0000)]
Missing form elements handled
Roland Häder [Tue, 11 May 2010 08:17:41 +0000 (08:17 +0000)]
Fix #4 from root...
Roland Haeder [Tue, 11 May 2010 08:12:54 +0000 (08:12 +0000)]
Fix #3
Roland Haeder [Tue, 11 May 2010 08:10:56 +0000 (08:10 +0000)]
Fix #2
Roland Haeder [Tue, 11 May 2010 08:09:48 +0000 (08:09 +0000)]
Fixes... :(
Roland Haeder [Tue, 11 May 2010 07:58:56 +0000 (07:58 +0000)]
Complete rewrite:
- Very simple and basic template system (HTML and email) added
- Templates are language-dependent or indepented, this depends on if you call
crackerTrackerLoadTemplate() or crackerTrackerLoadLocalizedTemplate()
- Email templates are always language-depenent... :-)
- Flexible database auto-update added (please just call your secured script
normally!)
- Language sub-system added (German and English language is complete)
- Suport ticket added which gives your users, if his IP has recent malicious
activities on the secured server, a support ticket form where they can request
help. After the form is sent, the user can fully disable that warning. This is
done by the script sends him a cookie with his ticket id.
- This support ticket system can be switched off and a little configured in
the database table 'ctracker_config'. You can currently change the following
values there:
+ Minimum random delay in seconds (default: 10 seconds)
+ Maximum random delay in seconds (default: 30 seconds)
+ Wether the support ticket system is on/off (default: on)
+ Which language you prefer to read (default: en)
- README updated
Roland Haeder [Tue, 4 May 2010 18:31:12 +0000 (18:31 +0000)]
Added more flexible options
Roland Haeder [Tue, 4 May 2010 17:25:46 +0000 (17:25 +0000)]
Updated
Roland Haeder [Tue, 4 May 2010 17:08:27 +0000 (17:08 +0000)]
Updated
Roland Haeder [Thu, 7 Jan 2010 16:17:25 +0000 (16:17 +0000)]
Renamed to bypass naming conflicts
Roland Haeder [Tue, 5 Jan 2010 02:33:20 +0000 (02:33 +0000)]
Now detects proxy usage
Roland Haeder [Thu, 31 Dec 2009 17:45:55 +0000 (17:45 +0000)]
Mails updated
Roland Haeder [Thu, 31 Dec 2009 17:42:57 +0000 (17:42 +0000)]
A lot spaces removed, array with server_name extended (SELECT query was extended, too)
Roland Haeder [Thu, 31 Dec 2009 17:30:03 +0000 (17:30 +0000)]
Unmodified GET data (query string) added
Roland Haeder [Thu, 31 Dec 2009 16:54:17 +0000 (16:54 +0000)]
Fix for warning
Roland Haeder [Thu, 31 Dec 2009 13:51:25 +0000 (13:51 +0000)]
Some nice improvements:
- Mail headers and receipient address configurable (the constant
__CTRACKER_EMAIL is deprecated)
- Domain is now included in check (see function isCrackerTrackerEntryFound())
- Last attempt wasn't logged correctly (bad SQL)
- Minor improvements
Roland Haeder [Thu, 31 Dec 2009 02:57:02 +0000 (02:57 +0000)]
Database dump added
Roland Haeder [Thu, 31 Dec 2009 02:53:13 +0000 (02:53 +0000)]
We don't need an open database link after the work is done
Roland Haeder [Thu, 31 Dec 2009 02:36:49 +0000 (02:36 +0000)]
First implemenation
Roland Haeder [Wed, 30 Dec 2009 23:37:08 +0000 (23:37 +0000)]
Even more prepared
Roland Haeder [Wed, 30 Dec 2009 23:34:36 +0000 (23:34 +0000)]
Also them... :(
Roland Haeder [Wed, 30 Dec 2009 23:32:54 +0000 (23:32 +0000)]
All removed because this is a mini non-frameworked application
Roland Haeder [Wed, 30 Dec 2009 23:30:36 +0000 (23:30 +0000)]
Initial import with linked core from skeleton