From 6b1a4b38d6f7fdfd1fdd37b05799acf2eea2b193 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Thu, 28 Jul 2016 10:02:50 +0200 Subject: [PATCH] Sanitize request strings (also serialized POST data) from trickery like '//' and '/./' where the attacker tries to circumvent checks. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Roland Häder --- libs/lib_detector.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 8a13dda..a59ae07 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -173,8 +173,8 @@ function initCrackerTrackerArrays () { // Checks for worms function isCrackerTrackerWormDetected () { // Check against the whole list - $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString())); - $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent())); + $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerQueryString()))); + $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerUserAgent()))); /* * If it differs to original and the *whole* request string is not in @@ -199,7 +199,7 @@ function isCrackerTrackerPostAttackDetected () { $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST)); // Check for suspicious POST data - $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track'])); + $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), $GLOBALS['ctracker_post_track']))); // Is it detected? return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track'])); -- 2.39.5