Recent Topics

Blog sec hole?

Started by on Mar 02, 2005 – Contents updated: Mar 02, 2005

Mar 02, 2005 20:48    

In this thread I followed instructions to only let reg. users post comments. http://forums.b2evolution.net/viewtopic.php?t=3388

However I feel there is a sec. hole in the Blog because I am still being spammed by a "guest"user. He uses different proxy's and I cant stop him.

Is there any other way to prevent this or is this a sec. hole in B2?

Mar 02, 2005 20:56

ya know, what was wrong with the first thread you started? sheesh.
its not a security hole, and you havent provided enough details for anyone, atleast not me, to advise you -- you have just said the same thing as before.

so lets go through it ...

you were getting comment spam, correct?
you fixed it so that only registered users can comment, correct?

"your still being spammed"

thats all well and fine, what kind of spam? comment spam? referer spam? youre absolutely 100% positive that you did the hack correctly? Youre willing to provide a url to your blog so that someone here can actually see for themselves that they are unable to comment w/o registering?

I dont mean to be short, but if you want help, you need to help us.

Mar 02, 2005 21:04

Comment spam, yes I changed the things correctly as were given to me in the other post. Sorry if I wasnt clear enough, thought I was though.

An example of the spam -->http://www.serbia-today.com/blog/index.php?blog=7&p=135&more=1&c=1&tb=1&pb=1

Thnx for any help.

Mar 02, 2005 21:17

if you check your apache logs (raw server logs) and look for those ips, whatever they are..my guess is that they are bypassing the permalink page all together.. they are calling your omment_post.php directly.. do this..

im assuming you have an .htaccess on your server in your b2evolution directory, that the server is apache, and that you understand how .htaccess is used.

open your .htaccess ..make sure somewhere in that file you have the following all ready


RewriteEngine On

that enables mod_rewrite. If thats not in your .htaccess put iit somewhere near the top..

then .. add the following somewhere under that line that was or is now there.


RewriteCond %{HTTP_REFERER} "!^http://www.serbia-today.com/.*$" [NC]
RewriteCond %{REQUEST_URI} ".*comment_post.php$"
RewriteRule .* - [F]

those 3 lines will prevent anyone from directly using an http_post to insert comments. It is NOT a sure-fire fix, as referers can be spoofed, however it will stop the dumbest of the lot.

By the way, what they are doing is not evidence of a security hole. Its simply the nature of http_post.. they are basically submitting a form, a form that can be submitted remotely or locally.. thats just the way it works.

you might need to use :


RewriteCond %{REQUEST_URI} "*comment_post.php$"

since comment_post.php iisnt in the root directory, or you could just use the path to the file -- hopefully you get the idea

Mar 02, 2005 21:26

Hi,

Thnx, I have 1 htacces in the root of my domain, I put another one in the blog directory with the info you mentioned. Dont know if that is ok or not.

If this person uses a form, can I completely disable comments? I didnt advertise yet through my mailing list about the blog but I expect a lot of Bloggers. The last thing I want is this. I would regret removing commenting but if they find their way around this then I most likely spend more time deleting spam comments then I do anything else.

THnx

Mar 02, 2005 21:37

the first thing to check is to make regged users can comment .. check that

Mar 02, 2005 21:38

Damn this is a disaster. The guy who does it is andrewsaluk.com
I dont think I am the only who can expect this. I got more then 55 spam comments and its rising. Anyway I can clean this up since I am getting complaints now.

Thnx.

Mar 02, 2005 21:39

Yes, reg users can post.

Mar 02, 2005 21:49

The domain was already added a long time ago. Its on the black list.
Thnx for the help, I hope he stops. But it wasnt me who added him om the black list so he might start annoying other people. Is there a way for the next update or so to change the commenting system?

Again thnx for the help.

PS Did the owner of this site ever thing to use Phorum ?

Mar 02, 2005 22:22

by the way, that little htaccess trick should allow you to open back up commenting to anonymous users.. obviously they (anons) could still post comment spam, but they can no longer do it remotely as is most often the case.

I have a whole sleeve full of tricks to combat spam, I guess I never shared that .htaccess/referer one before. You will have to let me know how that works out.

if you check your logs, you will prolly see that hes still trying .. and should be getting a forbidden (403) page

Mar 03, 2005 10:25

Yea he is(was) trying. It seems to work. Thnx a million :)
I will let you know if anything else happens. Again thnx.

Mar 05, 2005 04:01

Please excuse my drunken stupefaction, but, the hack you initially referenced ONLY refered to civilized humans who might attempt to comment. Whoo's advice, despite my inability to understand it, is (probably) spot-on. She ("she he or it" for those not into gender-specific terminology) knows what's going down at the server level.

*we now return you to the originally slibjabbed whamma blamma thread*

Mar 05, 2005 08:18

EdB wrote:

Please excuse my drunken stupefaction, but, the hack you initially referenced ONLY refered to civilized humans who might attempt to comment. Whoo's advice, despite my inability to understand it, is (probably) spot-on. She ("she he or it" for those not into gender-specific terminology) knows what's going down at the server level.

*we now return you to the originally slibjabbed whamma blamma thread*

8| You lost me.

BTW, new feature, trackback : http://www.serbia-today.com/blog/index.php?p=29&tb=1 Just got spam trackbacks but no comments.

Mar 05, 2005 09:26

yeap, you sure did. I can tell you what fixed that for me ...

I got 2 or 3 spam trackbacks, and immediately changed the filename responsible for accepting trackbacks..

Its a little harder for you to do than it was for me, but I can give you details on how to do it, if you like, tommorow.. For now, make sure that domain gets added to the spam list, if you havent already.

trackback spam seems to be the new way to spam, since most people have taken control of comment spam.

Mar 05, 2005 09:29

Ok I am adding the domains. I will be online tomorrow.
Does adding the domain the blacklist also block it from the trackback?

Ah yes, when I block a domain, why doesnt it block automatically the subdomains either?

Thnx

Mar 05, 2005 10:30

Hajduk,

Was that trackback spam advertising or originating from the same domain as the earlier comment spam? Or is this another spam domain? Also, how long have you had your blog up and working, is it new, older, medium?

You have a popular blog, I guess? Or no?

Last, and most importantly, so I make sure to give you the correct file edits, what version of b2evolution are you using?

Mar 05, 2005 10:37

Hi,

I run 0.9.0.11 "Paris" 2004-09-22
The Blog has been running since last December or so. It is getting more and more visitors and posters I dont complain on that :D Its not like wauw popular but not doing bad. I have my gaming clan members post on there as well and tend to use this Blog system for a new gaming comm. site.

I think this time it was a different spammer that posted twice a trackback. Its not just in this case but also in other cases when I use the blacklist. I ad someone and then they create a new subdomain. Might be the way I submit spammers-->url.

Mar 05, 2005 22:21

ok, after looking, I have to admit i've found a seemingly easier way to do this then doing all of the file edits for trackback.php

1. rename your htsrv dir. leave all the files inside it intact, and unchanged -- just rename the directory itself, calling it whatever you like.

2. Inside conf/_advanced.php find this:


* Location of the HTml SeRVices folder.
 * @global string $htsrv_subdir
 */
$htsrv_subdir = 'htsrv';                     // Subdirectory relative to base

change that variable : htsrv to whatever you renamed the directory to in step 1.

after doing so, you have changed the URL for your trackbacks, and comments, btw, in one quick switch.

The last thing you prolly want to doublecheck is that if you have referenced that directory in any .htaccess's that you change that also.

Let me know how this works out for you :)

Mar 06, 2005 13:45

Hhhm ok, I changed it as you said. All seems to work in good order so I am very happy :D

Thnx apreciate the help. :D


Form is loading...

Photo gallery software – This forum is powered by b2evolution CMS, a complete engine for your website.