Forum
Banoncmdi/preventcmdi
User0815
18 January 2009, 18:22
I tested BanonCMDi and BanonCMDi + PreventCMDi with this exploit to test the function: hxxp://milw0rm.com/exploits/7731
After send the CMD with a pipe ( | ) in POST-Content the /tmp/dupa with output of uname -a is availible and i'm not blocked. Is there something wrong with my conf?
After send the CMD with a pipe ( | ) in POST-Content the /tmp/dupa with output of uname -a is availible and i'm not blocked. Is there something wrong with my conf?
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /usr/local/var/log/hiawatha/system.log
AccessLogfile = /usr/local/var/log/hiawatha/access.log
ErrorLogfile = /usr/local/var/log/hiawatha/error.log
GarbageLogfile = /usr/local/var/log/hiawatha/garbage.log
ServerString = Blub0r
Binding {
Port = 80
}
BanOnCMDi = 300
BanOnSQLi = 300
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
PreventCMDi = yes
ExecuteCGI = yes
CGIhandler = /usr/bin/php-cgi:php
CGIhandler = /usr/bin/perl:pl
CGIextension = cgi
Hostname = 127.0.0.1
WebsiteRoot = /usr/local/var/www/hiawatha
StartFile = index.php
AccessLogfile = /usr/local/var/log/hiawatha/access.log
ErrorLogfile = /usr/local/var/log/hiawatha/error.log
User0815
18 January 2009, 18:24
Tested on
Linux 0815server 2.6.22-3-vserver-amd64 #1 SMP Sun Nov 4 18:41:00 UTC 2007 x86_64 GNU/Linux (my vserver with static IP)
and
Linux chaosgate 2.6.27-gentoo-r7 #2 SMP Fri Jan 9 21:20:32 CET 2009 i686 Intel(R) Pentium(R) M processor 1.86GHz GenuineIntel GNU/Linux (My Laptop)
Linux 0815server 2.6.22-3-vserver-amd64 #1 SMP Sun Nov 4 18:41:00 UTC 2007 x86_64 GNU/Linux (my vserver with static IP)
and
Linux chaosgate 2.6.27-gentoo-r7 #2 SMP Fri Jan 9 21:20:32 CET 2009 i686 Intel(R) Pentium(R) M processor 1.86GHz GenuineIntel GNU/Linux (My Laptop)
Hugo Leisink
18 January 2009, 18:35
Command injections are only prevented via GET variables en Cookies. If you want POST variables to be checked, edit target.c and uncomment the lines 598 - 600. Note that the command injections prevention is a little experimental. Fixing the application is always better.
User0815
18 January 2009, 18:38
Are SQLinjections only preventet in GET&Cookie,too. Or is an uncomment also needed?
Hugo Leisink
18 January 2009, 18:44
No, POST data is also checked for SQL injections attempts. Note that these options can cause problems with uploading of binary data, such as images. If you are using a webapplication which already takes care of quotes in user input (which SQL injection is), such as magic_quotes in PHP, don't use Hiawatha's SQL injection prevetion options. It causes quotes to be double escaped.
User0815
18 January 2009, 19:01
Thanks for your fast support. 
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
