- This topic has 9 replies, 3 voices, and was last updated Mar 12-3:55 am by andfree.
-
Posts
-
andfree
403 Forbidden A potentially unsafe operation has been detected in your request to this site. Generated by Wordfence at Sun, 11 Mar 2018 17:58:56 GMT. Your computer's time: Sun, 11 Mar 2018 17:58:57 GMT.- This topic was modified 5 years, 2 months ago by andfree.
- This topic was modified 5 years, 2 months ago by andfree.
- This topic was modified 5 years, 2 months ago by andfree.
The problem caused by
../.
&
./src/xcb_io.c:259
in one line, without gap between them.- This reply was modified 5 years, 2 months ago by andfree.
- This reply was modified 5 years, 2 months ago by andfree.
- This reply was modified 5 years, 2 months ago by andfree.
rokytnji
So put a gap between them. Or use the italics on the xcb as a experiment. Or the whole line of code in italics. We used to fix the /etc bug like that on the old forums which would not allow one to post that unless they they did this. / etc
Because I just checked < left click on my sceenshot image to see it better >
and there is not anything I can do about your problem.
- This reply was modified 5 years, 2 months ago by rokytnji.
- This reply was modified 5 years, 2 months ago by rokytnji.
Sometimes I drive a crooked road to get my mind straight.
Not all who Wander are Lost.
I'm not outa place. I'm from outer space.Linux Registered User # 475019
How to Search for AntiX solutions to your problemsRunning tests:
/./
../..
/../- This reply was modified 5 years, 2 months ago by andfree.
- This reply was modified 5 years, 2 months ago by andfree.
- This reply was modified 5 years, 2 months ago by andfree.
Anonymous
403 Forbidden
A potentially unsafe operation has been detected in your request to this site.
Generated by [b]Wordfence[/b]
The forum webserver is running a component called Wordfence.
The component is a “freemium” software (US$89 per year) and the free version
allows near zero customization of its “Web Application Firewall (and Spam and Archillian Battle Cruiser -blocking)” rules.Wordfence (the product, its developers) takes a hardass stance.
THEY supply the list of firewall rules. THEY update / maintain a list of firewall rules, and these rules are autoupdated by the software.
AFAIK, even when using the paid version, the configuration UI doesn’t expose full control ~~ admin cannot perform surgery on the individual rules contained in the firewall ruleset. Instead, admin is expected to (is forced to) one by one by one by one by one by one by one by one by one… eternally handle checking/whitelisting posts which have triggered blockage due to a firewall rule.Specific to this “discovered it happened b/c post contained dot dot slash” case,
yeah the blocking action is (just) an annoyance, a false positive…
…but from the POV of the Web Application Firewall, the triggering event
ALSO potentially represents a directory traversal attack against the webserver.For future reference, if (unknown to all of us) Wordfence contains a rule prohibiting posts containing “bunnies”…
and you post blahblah bunnies blah {————- BLOCKED
immediately click the browser “Back” button. Hopefully you’ll be returned to the posting form page, with the cached textarea content still intact, and you can edit/remove/obfuscate the string of characters which is triggering (or might be triggering) the WAF block.
(The firefox extension “TextArea Cache” will save yer bacon here, in instances where the server forces a page reload, causing browser to discard any previously-typed content.)^———— Alternatively, instead of back and edit and hope and retry and ineedabeer:
1) I post blahblah bunnies blah.
2) post is blocked
3) I PM roky and whine about the false positive block event
4) roky visits the spam pile and views the post, confirms the block was a false positive, and “whitelists” the post.
5) my previously-blocked post becomes visible on the site6 and onward)
If I __edit__ that post, when I resubmit the edited version, we can expect it would not be blocked for “dot dot slash” reason.
However, something else within the post may trigger yet another WAF rule & the attempted post of the edited version may again be blocked.If I, or anyone else, were to QUOTE (or copy/paste) the content of that whitelisted post…
any new post containing that (“bunnies”, or “dot dot slash dot”) would wind up blocked.
errrrr, confusginly…
might wind up successfully “posted”, yet is immediately auto-whisked-away, to the spam pile.
Then we get to PM roky and whine again… lather, rinse, repeat.The Wordfence Web Application Firewall blocks requests (visits) to your site that match specific patterns. For example, if a visitor makes a request with a query string that includes a pattern such as “../../” Wordfence detects it as a Directory Traversal attack and will block that request. Sometimes WordPress plugins and themes will exhibit behavior that resembles known attack patterns, which may then result in the firewall blocking something that is not actually malicious. This is called a false positive.
After running some tests, I came to the conclusion that the problem is not “dot dot slash”. The proof: ../
The problem is “slash dot dot slash”. It’s not avoided by using italics.../../../../../../
Here, I’ll show it padded with spaces so’s ya can see “use italics (or bold tags) to break up the string of characters” does work
. . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ] . . [ i ] / [ / i ]
test
//:
&=1Yes, if italic (or bold) tags break up the “slash dot dot slash” string, it does work:
/../ ( /..[bold-tag]/[/bold-tag] )- This reply was modified 5 years, 2 months ago by andfree.
- This reply was modified 5 years, 2 months ago by andfree.
- This reply was modified 5 years, 2 months ago by andfree.
- You must be logged in to reply to this topic.
