Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: [SECURITY FIX] htaccess patch (sNews 1.5.30)  (Read 7234 times)

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
[SECURITY FIX] htaccess patch (sNews 1.5.30)
« on: January 13, 2007, 10:44:12 AM »

We're working on improving sNews 1.5 security issues... untill then please use this .htaccess patch
Note: apply the blue part right after RewriteEngine On command inside existing htaccess file on your server

updated htaccess file:
- solved minor log.php bugfix
- removed reference to error_logger.php file (used in my testing stage)
Quote
#...
RewriteEngine On

#security fix
# mod_rewrite should intercept most of the 'funny' requests and redirect them to log.php file

RewriteCond %{QUERY_STRING} (\"|%22).*(\>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (javascript:).*(\;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (\;|\'|\"|\%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) log.php [NC]

#...
log.php file
Create new log.php file file with following code inside, and upload it in your site root (e.g in the folder where's your htaccess file)
Quote
# log.php file will send you an email whenever bad request occures
# modify your your-email-addressand your-domain accordingly
# my@site.com is a dummy sender's email

$r= $_SERVER['REQUEST_URI'];
$q= $_SERVER['QUERY_STRING'];
$i= $_SERVER['REMOTE_ADDR'];
$u= $_SERVER['HTTP_USER_AGENT'];
$mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u;
mail('your-email-address', 'Subject: bad request from your-domain', $mess, 'from: my@site.com');
echo "Ugly!";
?>
This quick solution is taken from author's blog at http://www.jungsonnstudios.com/blog/
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
[SECURITY FIX] htaccess patch (sNews 1.5.30)
« Reply #1 on: January 13, 2007, 12:57:23 PM »

Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
[SECURITY FIX] htaccess patch (sNews 1.5.30)
« Reply #2 on: January 13, 2007, 05:14:54 PM »

UPDATED HTACESS
Quote
# remove the trailing slash before log.php
RewriteRule (,|;|<|>|'|`) log.php [NC]
but don't worry :) I've found a small log.php redirection bug - as you've noticed, log.php sole function is to capture and mail you bad request data such as: suspicious URL, time, attacker's(?) OS and IP and browser type..
In order to test the htaccess file, do the following (example from my site at http://www.ni5ni6.com):

How htaccess fix works:
1. type (or click on link) this in your addressbar:
http:/www.ni5ni6.com/snews-mods/comments-area-styling-and-visuals/

2. modify the link with some problematic code (examine htaccess file for some more 'suspicious' patterns)
http:/www.ni5ni6.com/snews-mods/comments-\%22javascriptarea-styling-and-visuals/

3. hit enter

htaccess file is suposed to capture suspicious code in your request, recognize it as hack attempt and redirect that bad request to log.php file, which will automatically send request info to email provided

This is how subject body looks like (feel free to format mail() function as you please)

Quote
/snews-mods/comments-%5C%22javascriptarea-styling-and-visuals/ | category=snews-mods/comments-\"javascriptarea-styling-and-visuals | xxx.xxx.xxx.xxx | Mozilla/5.0 (Windows; U; Windows xxx; en-US; rv: xxx) Gecko/20061204 Firefox/2.0.0.1
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
[SECURITY FIX] htaccess patch (sNews 1.5.30)
« Reply #3 on: January 15, 2007, 10:04:03 PM »

In response to Mika's Post #1 at the top, the following comments and suggestions were received from  sNews member mike and have been re-posted here. Note that no testing of this script has been done. Any verification as to its work-ability is to be verified by mike himself.

Quote from: mike
(The above solution ) needs (to provide) more information. If this script was modified to include a capture of the date/time of the hack attempt, it would be more useful to the users web host because then they may be able to provide more details about where the hacking attempt came from, and jail that sonofab***h. (This revision would provide more details in the log e-mail).

$r = $_SERVER['REQUEST_URI'];
$q = $_SERVER['QUERY_STRING'];
$i = $_SERVER['REMOTE_ADDR'];
$u = $_SERVER['HTTP_USER_AGENT'];
$t = date('d.m.Y. H:i:s');
$c = gethostbyaddr($_SERVER[REMOTE_ADDR]);
$mess = "This is an automatically generated email message sent to you (the administrator) because someone may have tried to exploit the sNews script on " . $_SERVER['HTTP_HOST'] . ", please take whatever action may be necessary.\n\n";
$mess .= "INVOCATION DETAILS:\n--------------------------------\n";

$mess .= 'Time: ' . $t . "\n" . 'Remote IP: ' . $i . "\n" . 'Computer name: ' . $c . "\n" . 'Requested URL: ' . $r . "\n" . 'URL Query: ' . $q . "\n" . 'User-Agent (Browser): ' .$u;
mail('me@mysite.com', 'Possible sNews exploit detected on PSN ', $mess, 'from: exploit@mysite.com');
echo "Do not try to exploit this script.

 Information about you has been collected and mailed to the administrator.
";
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
[SECURITY FIX] htaccess patch (sNews 1.5.30)
« Reply #4 on: February 24, 2007, 04:35:14 PM »

Mika - if this topic is no longer relevant to the current sNews release package - maybe it is a good idea to delete it altogether. What do you think? :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
[SECURITY FIX] htaccess patch (sNews 1.5.30)
« Reply #5 on: February 25, 2007, 03:03:58 AM »

or simply place something in the title saying [OBSOLETE] - might be useful for reference purposes?
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future