Forbidden posts (containing "slash & dot" strings)

Forum Forums New users New Users and General Questions Forbidden posts (containing "slash & dot" strings)

This topic contains 9 replies, has 3 voices, and was last updated by andfree Mar 12-3:55 am.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #7648
    Member
    Avatar
    andfree
    403 Forbidden
    
    A potentially unsafe operation has been detected in your request to this site.
    
    Generated by Wordfence at Sun, 11 Mar 2018 17:58:56 GMT.
    Your computer's time: Sun, 11 Mar 2018 17:58:57 GMT.
    • This topic was modified 1 year, 7 months ago by andfree.
    • This topic was modified 1 year, 7 months ago by andfree.
    • This topic was modified 1 year, 7 months ago by andfree.
    #7649
    Member
    Avatar
    andfree

    I don’t know why I was able to create this topic, but I can’t post a reply to that one. It gives me the message I wrote at the starting post of this topic. I don’t have firewall enabled.

    • This reply was modified 1 year, 7 months ago by andfree.
    #7656
    Member
    Avatar
    andfree

    The problem caused by
    ../.
    &
    ./src/xcb_io.c:259
    in one line, without gap between them.

    • This reply was modified 1 year, 7 months ago by andfree.
    • This reply was modified 1 year, 7 months ago by andfree.
    • This reply was modified 1 year, 7 months ago by andfree.
    #7670
    Forum Admin
    rokytnji
    rokytnji

    So put a gap between them. Or use the italics on the xcb as a experiment. Or the whole line of code in italics. We used to fix the /etc bug like that on the old forums which would not allow one to post that unless they they did this. / etc

    Because I just checked < left click on my sceenshot image to see it better >

    and there is not anything I can do about your problem.

    • This reply was modified 1 year, 7 months ago by rokytnji.
    • This reply was modified 1 year, 7 months ago by rokytnji.

    Sometimes I drive a crooked road to get my mind straight.
    Not all who Wander are Lost.
    Linux Registered User # 475019
    How to Search for AntiX solutions to your problems

    #7677
    Member
    Avatar
    andfree

    Running tests:
    /./
    ../..
    /../

    • This reply was modified 1 year, 7 months ago by andfree.
    • This reply was modified 1 year, 7 months ago by andfree.
    • This reply was modified 1 year, 7 months ago by andfree.
    #7678
    Member
    Avatar
    skidoo

    403 Forbidden

    A potentially unsafe operation has been detected in your request to this site.

    Generated by [b]Wordfence[/b]

    The forum webserver is running a component called Wordfence.
    The component is a “freemium” software (US$89 per year) and the free version
    allows near zero customization of its “Web Application Firewall (and Spam and Archillian Battle Cruiser -blocking)” rules.

    Wordfence (the product, its developers) takes a hardass stance.
    THEY supply the list of firewall rules. THEY update / maintain a list of firewall rules, and these rules are autoupdated by the software.
    AFAIK, even when using the paid version, the configuration UI doesn’t expose full control ~~ admin cannot perform surgery on the individual rules contained in the firewall ruleset. Instead, admin is expected to (is forced to) one by one by one by one by one by one by one by one by one… eternally handle checking/whitelisting posts which have triggered blockage due to a firewall rule.

    Specific to this “discovered it happened b/c post contained dot dot slash” case,
    yeah the blocking action is (just) an annoyance, a false positive…
    …but from the POV of the Web Application Firewall, the triggering event
    ALSO potentially represents a directory traversal attack against the webserver.

    For future reference, if (unknown to all of us) Wordfence contains a rule prohibiting posts containing “bunnies”…
    and you post blahblah bunnies blah {————- BLOCKED
    immediately click the browser “Back” button. Hopefully you’ll be returned to the posting form page, with the cached textarea content still intact, and you can edit/remove/obfuscate the string of characters which is triggering (or might be triggering) the WAF block.
    (The firefox extension “TextArea Cache” will save yer bacon here, in instances where the server forces a page reload, causing browser to discard any previously-typed content.)

    ^———— Alternatively, instead of back and edit and hope and retry and ineedabeer:

    1) I post blahblah bunnies blah.
    2) post is blocked
    3) I PM roky and whine about the false positive block event
    4) roky visits the spam pile and views the post, confirms the block was a false positive, and “whitelists” the post.
    5) my previously-blocked post becomes visible on the site

    6 and onward)
    If I __edit__ that post, when I resubmit the edited version, we can expect it would not be blocked for “dot dot slash” reason.
    However, something else within the post may trigger yet another WAF rule & the attempted post of the edited version may again be blocked.

    If I, or anyone else, were to QUOTE (or copy/paste) the content of that whitelisted post…
    any new post containing that (“bunnies”, or “dot dot slash dot”) would wind up blocked.
    errrrr, confusginly…
    might wind up successfully “posted”, yet is immediately auto-whisked-away, to the spam pile.
    Then we get to PM roky and whine again… lather, rinse, repeat.

    The Wordfence Web Application Firewall blocks requests (visits) to your site that match specific patterns. For example, if a visitor makes a request with a query string that includes a pattern such as “../../” Wordfence detects it as a Directory Traversal attack and will block that request. Sometimes WordPress plugins and themes will exhibit behavior that resembles known attack patterns, which may then result in the firewall blocking something that is not actually malicious. This is called a false positive.

    #7682
    Member
    Avatar
    andfree

    After running some tests, I came to the conclusion that the problem is not “dot dot slash”. The proof: ../
    The problem is “slash dot dot slash”. It’s not avoided by using italics.

    #7686
    Member
    Avatar
    skidoo

    ../../../../../../

    Here, I’ll show it padded with spaces so’s ya can see “use italics (or bold tags) to break up the string of charactersdoes work

    . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ]

    • This reply was modified 1 year, 7 months ago by skidoo.
    #7689
    Member
    Avatar
    skidoo

    test
    //:
    &=1

    #7702
    Member
    Avatar
    andfree

    Yes, if italic (or bold) tags break up the “slash dot dot slash” string, it does work:
    /../ ( /..[bold-tag]/[/bold-tag] )

    • This reply was modified 1 year, 7 months ago by andfree.
    • This reply was modified 1 year, 7 months ago by andfree.
    • This reply was modified 1 year, 7 months ago by andfree.
Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.