ctracker.git
10 years agoFix for parser error :(
Roland Haeder [Sat, 20 Jul 2013 14:24:44 +0000 (14:24 +0000)]
Fix for parser error :(

10 years agoResorted almost all pattern checks + used more single-quotes than double
Roland Haeder [Sat, 20 Jul 2013 14:24:06 +0000 (14:24 +0000)]
Resorted almost all pattern checks + used more single-quotes than double

10 years agoWrappers like data://, tcp:// et cetera now blacklisted
Roland Haeder [Sat, 20 Jul 2013 13:30:14 +0000 (13:30 +0000)]
Wrappers like data://, tcp:// et cetera now blacklisted

10 years agoUse constants instead of keywords
Roland Haeder [Sat, 20 Jul 2013 13:07:03 +0000 (13:07 +0000)]
Use constants instead of keywords

10 years agoFixes (opps) for bad check, blocked all
Roland Haeder [Thu, 18 Jul 2013 00:53:17 +0000 (00:53 +0000)]
Fixes (opps) for bad check, blocked all

10 years agoExperimental commit:
Roland Haeder [Thu, 18 Jul 2013 00:07:58 +0000 (00:07 +0000)]
Experimental commit:
decode URL before checking to avoid something like this: q=%2FopenFooBar which
would be converted to q=%2fopenfoobar and then blocked as 'fopen' is then found.

This happens with StatusNet 1.1.1

10 years agoAdded incompatible notice
Roland Haeder [Thu, 27 Jun 2013 20:22:57 +0000 (20:22 +0000)]
Added incompatible notice

10 years agoExcluded secure_session=1 from mantis
Roland Haeder [Tue, 4 Jun 2013 13:57:14 +0000 (13:57 +0000)]
Excluded secure_session=1 from mantis

11 years agoNow use str_ireplace()
Roland Haeder [Thu, 18 Apr 2013 22:00:32 +0000 (22:00 +0000)]
Now use str_ireplace()

11 years agoBetter use this?
Roland Haeder [Sat, 30 Mar 2013 06:01:32 +0000 (06:01 +0000)]
Better use this?

11 years agoExtended is correct
Roland Haeder [Mon, 11 Mar 2013 23:04:23 +0000 (23:04 +0000)]
Extended is correct

11 years agoRemove even more
Roland Haeder [Tue, 26 Feb 2013 22:08:17 +0000 (22:08 +0000)]
Remove even more

11 years agounsetCtrackerData() introduced
Roland Haeder [Tue, 26 Feb 2013 21:46:56 +0000 (21:46 +0000)]
unsetCtrackerData() introduced

11 years agoDocu updated, detection array resorted a little
Roland Haeder [Thu, 20 Dec 2012 20:46:07 +0000 (20:46 +0000)]
Docu updated, detection array resorted a little

11 years agoBlocked also %27 (')
Roland Haeder [Wed, 24 Oct 2012 22:46:51 +0000 (22:46 +0000)]
Blocked also %27 (')

11 years agoDetection of attempt of SQL injections added
Roland Haeder [Wed, 24 Oct 2012 22:16:00 +0000 (22:16 +0000)]
Detection of attempt of SQL injections added

11 years agoTaken care of possible missing elements
Roland Haeder [Sat, 29 Sep 2012 22:06:08 +0000 (22:06 +0000)]
Taken care of possible missing elements

12 years ago'cmd=' broke to many legtime requests, cmd.exe should kill Windozer attacks a little...
Roland Haeder [Tue, 27 Sep 2011 18:27:44 +0000 (18:27 +0000)]
'cmd=' broke to many legtime requests, cmd.exe should kill Windozer attacks a little more

12 years ago.pl harms also legitime requests
Roland Haeder [Wed, 14 Sep 2011 10:59:31 +0000 (10:59 +0000)]
.pl harms also legitime requests

12 years agoNow all forms of '0x' are detected
Roland Haeder [Sat, 27 Aug 2011 23:10:59 +0000 (23:10 +0000)]
Now all forms of '0x' are detected

12 years agoDOCUMENT_ROOT and _SERVER added (avoid these things please)
Roland Haeder [Sat, 27 Aug 2011 23:05:40 +0000 (23:05 +0000)]
DOCUMENT_ROOT and _SERVER added (avoid these things please)

12 years agoBlock also these
Roland Haeder [Fri, 29 Jul 2011 09:43:07 +0000 (09:43 +0000)]
Block also these

12 years agoinit also this
Roland Haeder [Fri, 29 Jul 2011 05:18:51 +0000 (05:18 +0000)]
init also this

12 years agoFix for missing 'ctracker_post_track'
Roland Haeder [Fri, 29 Jul 2011 05:05:41 +0000 (05:05 +0000)]
Fix for missing 'ctracker_post_track'

12 years agoDetection of hexa-decimal encoded (0xXXXXX) strings added
Roland Haeder [Fri, 24 Jun 2011 12:47:17 +0000 (12:47 +0000)]
Detection of hexa-decimal encoded (0xXXXXX) strings added

13 years agosvn:eol-style set to 'native'
Roland Haeder [Wed, 20 Apr 2011 04:55:37 +0000 (04:55 +0000)]
svn:eol-style set to 'native'

13 years agoDuplicate entries removed, typo fixed
Roland Haeder [Sun, 10 Apr 2011 21:03:41 +0000 (21:03 +0000)]
Duplicate entries removed, typo fixed

13 years agoCopyright updated
Roland Haeder [Sun, 6 Mar 2011 11:29:30 +0000 (11:29 +0000)]
Copyright updated

13 years agoSome obsolete comment removed
Roland Haeder [Sun, 6 Mar 2011 11:28:32 +0000 (11:28 +0000)]
Some obsolete comment removed

13 years agoFixed error reporting for debug mode
Roland Haeder [Wed, 9 Feb 2011 14:19:14 +0000 (14:19 +0000)]
Fixed error reporting for debug mode

13 years agoDefault value of 'count' needs to be 1
Roland Haeder [Fri, 26 Nov 2010 15:30:03 +0000 (15:30 +0000)]
Default value of 'count' needs to be 1

13 years agoConfiguration entry 'ctracker_debug' renamed to 'ctracker_debug_enabled' to make...
Roland Haeder [Tue, 5 Oct 2010 11:43:54 +0000 (11:43 +0000)]
Configuration entry 'ctracker_debug' renamed to 'ctracker_debug_enabled' to make clear this is a boolean config

13 years agoSome code blocks moved, detection of '..//' added, user-agent is now securely used
Roland Haeder [Thu, 23 Sep 2010 12:09:23 +0000 (12:09 +0000)]
Some code blocks moved, detection of '..//' added, user-agent is now securely used

13 years agoSVN properties globally set
Roland Haeder [Tue, 14 Sep 2010 14:19:35 +0000 (14:19 +0000)]
SVN properties globally set

13 years ago'Based on' added, /proc/ will now be detected, do not use it in your scripts
Roland Haeder [Fri, 20 Aug 2010 08:27:38 +0000 (08:27 +0000)]
'Based on' added, /proc/ will now be detected, do not use it in your scripts

13 years agoFixes for missing config if no database link is provided
Roland Haeder [Sun, 18 Jul 2010 12:03:51 +0000 (12:03 +0000)]
Fixes for missing config if no database link is provided

13 years agoTODOs.txt updated ...
Roland Haeder [Thu, 8 Jul 2010 22:19:09 +0000 (22:19 +0000)]
TODOs.txt updated ...

13 years agoDocumentation does now make a notice about database-less operations
Roland Haeder [Thu, 8 Jul 2010 21:50:51 +0000 (21:50 +0000)]
Documentation does now make a notice about database-less operations

13 years agoUpdated to allow database-less operation
Roland Haeder [Thu, 8 Jul 2010 21:47:56 +0000 (21:47 +0000)]
Updated to allow database-less operation

13 years agoRenamed
Roland Haeder [Sun, 20 Jun 2010 16:10:13 +0000 (16:10 +0000)]
Renamed

13 years agoLog of first attempt fixed
Roland Haeder [Sun, 16 May 2010 02:20:40 +0000 (02:20 +0000)]
Log of first attempt fixed

13 years agoFix
Roland Haeder [Sun, 16 May 2010 02:17:39 +0000 (02:17 +0000)]
Fix

13 years agoThis should also not be used in URLs
Roland Haeder [Sat, 15 May 2010 07:37:33 +0000 (07:37 +0000)]
This should also not be used in URLs

13 years agoMissing form elements handled
Roland Haeder [Tue, 11 May 2010 09:19:49 +0000 (09:19 +0000)]
Missing form elements handled

13 years agoFix #4 from root...
Roland Häder [Tue, 11 May 2010 08:17:41 +0000 (08:17 +0000)]
Fix #4 from root...

13 years agoFix #3
Roland Haeder [Tue, 11 May 2010 08:12:54 +0000 (08:12 +0000)]
Fix #3

13 years agoFix #2
Roland Haeder [Tue, 11 May 2010 08:10:56 +0000 (08:10 +0000)]
Fix #2

13 years agoFixes... :(
Roland Haeder [Tue, 11 May 2010 08:09:48 +0000 (08:09 +0000)]
Fixes... :(

13 years agoComplete rewrite:
Roland Haeder [Tue, 11 May 2010 07:58:56 +0000 (07:58 +0000)]
Complete rewrite:
- Very simple and basic template system (HTML and email) added
- Templates are language-dependent or indepented, this depends on if you call
  crackerTrackerLoadTemplate() or crackerTrackerLoadLocalizedTemplate()
- Email templates are always language-depenent... :-)
- Flexible database auto-update added (please just call your secured script
  normally!)
- Language sub-system added (German and English language is complete)
- Suport ticket added which gives your users, if his IP has recent malicious
  activities on the secured server, a support ticket form where they can request
  help. After the form is sent, the user can fully disable that warning. This is
  done by the script sends him a cookie with his ticket id.
- This support ticket system can be switched off and a little configured in
  the database table 'ctracker_config'. You can currently change the following
  values there:
  + Minimum random delay in seconds (default: 10 seconds)
  + Maximum random delay in seconds (default: 30 seconds)
  + Wether the support ticket system is on/off (default: on)
  + Which language you prefer to read (default: en)
- README updated

13 years agoAdded more flexible options
Roland Haeder [Tue, 4 May 2010 18:31:12 +0000 (18:31 +0000)]
Added more flexible options

13 years agoUpdated
Roland Haeder [Tue, 4 May 2010 17:25:46 +0000 (17:25 +0000)]
Updated

13 years agoUpdated
Roland Haeder [Tue, 4 May 2010 17:08:27 +0000 (17:08 +0000)]
Updated

14 years agoRenamed to bypass naming conflicts
Roland Haeder [Thu, 7 Jan 2010 16:17:25 +0000 (16:17 +0000)]
Renamed to bypass naming conflicts

14 years agoNow detects proxy usage
Roland Haeder [Tue, 5 Jan 2010 02:33:20 +0000 (02:33 +0000)]
Now detects proxy usage

14 years agoMails updated
Roland Haeder [Thu, 31 Dec 2009 17:45:55 +0000 (17:45 +0000)]
Mails updated

14 years agoA lot spaces removed, array with server_name extended (SELECT query was extended...
Roland Haeder [Thu, 31 Dec 2009 17:42:57 +0000 (17:42 +0000)]
A lot spaces removed, array with server_name extended (SELECT query was extended, too)

14 years agoUnmodified GET data (query string) added
Roland Haeder [Thu, 31 Dec 2009 17:30:03 +0000 (17:30 +0000)]
Unmodified GET data (query string) added

14 years agoFix for warning
Roland Haeder [Thu, 31 Dec 2009 16:54:17 +0000 (16:54 +0000)]
Fix for warning

14 years agoSome nice improvements:
Roland Haeder [Thu, 31 Dec 2009 13:51:25 +0000 (13:51 +0000)]
Some nice improvements:
- Mail headers and receipient address configurable (the constant
  __CTRACKER_EMAIL is deprecated)
- Domain is now included in check (see function isCrackerTrackerEntryFound())
- Last attempt wasn't logged correctly (bad SQL)
- Minor improvements

14 years agoDatabase dump added
Roland Haeder [Thu, 31 Dec 2009 02:57:02 +0000 (02:57 +0000)]
Database dump added

14 years agoWe don't need an open database link after the work is done
Roland Haeder [Thu, 31 Dec 2009 02:53:13 +0000 (02:53 +0000)]
We don't need an open database link after the work is done

14 years agoFirst implemenation
Roland Haeder [Thu, 31 Dec 2009 02:36:49 +0000 (02:36 +0000)]
First implemenation

14 years agoEven more prepared
Roland Haeder [Wed, 30 Dec 2009 23:37:08 +0000 (23:37 +0000)]
Even more prepared

14 years agoAlso them... :(
Roland Haeder [Wed, 30 Dec 2009 23:34:36 +0000 (23:34 +0000)]
Also them... :(

14 years agoAll removed because this is a mini non-frameworked application
Roland Haeder [Wed, 30 Dec 2009 23:32:54 +0000 (23:32 +0000)]
All removed because this is a mini non-frameworked application

14 years agoInitial import with linked core from skeleton
Roland Haeder [Wed, 30 Dec 2009 23:30:36 +0000 (23:30 +0000)]
Initial import with linked core from skeleton