From cc993d57663d9bbe81417c6f7f2db2c8f2c5bb98 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Roland=20H=C3=A4der?= <rhaeder@cho-time.de>
Date: Thu, 28 Jul 2016 10:02:50 +0200
Subject: [PATCH] Sanitize request strings (also serialized POST data) from
 trickery like '//' and '/./' where the attacker tries to circumvent checks.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Roland HÃ¤der <rhaeder@cho-time.de>
---
 libs/lib_detector.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index 8a13dda..a59ae07 100644
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -173,8 +173,8 @@ function initCrackerTrackerArrays () {
 // Checks for worms
 function isCrackerTrackerWormDetected () {
 	// Check against the whole list
-	$GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
-	$GLOBALS['ctracker_checked_ua']  = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent()));
+	$GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerQueryString())));
+	$GLOBALS['ctracker_checked_ua']  = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), crackerTrackerUserAgent())));
 
 	/*
 	 * If it differs to original and the *whole* request string is not in
@@ -199,7 +199,7 @@ function isCrackerTrackerPostAttackDetected () {
 	$GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST));
 
 	// Check for suspicious POST data
-	$GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']));
+	$GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', str_replace(array('//', '/./'), array('/', '/'), $GLOBALS['ctracker_post_track'])));
 
 	// Is it detected?
 	return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track']));
-- 
2.39.2