HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


[RESOLVED] v7.0.1 Uploaded catalogue file with long filename causes hack atack when downloading

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#70093 (In Topic #14846)
Avatar

Community saint

Uploading "OA, Scaredsim - Gradius 3, Declaration of War OC ReMix (Original full version).mp3" to my catalogue went fine, but when I try to down load it I get the hacking attempt error below.

Looks like it a name length problem as when I strip out a few words it will download ok.

A potential hacking attempt …

Reason: A suspicious GET parameter was given (file as %2C%20Scaredsim%20-%20Gradius%203%2C%20Declaration%20of%20Wa
r%20OC%20ReMix%20%28Original%20full%20version%29.mp3)
IP address:
Member ID: 2
Username: admin
User Agent (typically, the web browser): Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Referrer: Music - xyz
Operating System: Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8
Date and time: 4:47 AM
URL: /cms/site/catalogue_file.php?original_filename=%2C+Scaredsim
+-+Gradius+3%2C+Declaration+of+War+OC+ReMix+%28Original+full
+
version%29.mp3&file=%252C%2520Scaredsim%2520-%2520Gradius%25
2
03%252C%2520Declaration%2520of%2520War%2520OC%2520ReMix%2520
%
2528Original%2520full%2520version%2529.mp3



If you believe …

File '…/cms/sources/failure.php' Line '417' Function 'get_html_trace' Args
File '…/cms/sources_custom/global2.php' Line '949' Function '_log_hack_attack_and_exit' Args

'DODGY_GET_HACK'

'file'

'%2C%20Scaredsim%20-%20Gradius%203%2C%20Declaration%20of%20W
ar%20OC%20ReMix%20%28Original%20full%20version%29.mp3'

File '…/cms/sources_custom/global2.php' Line '1,349' Function 'log_hack_attack_and_exit' Args

'DODGY_GET_HACK'

'file'

'%2C%20Scaredsim%20-%20Gradius%203%2C%20Declaration%20of%20W
ar%20OC%20ReMix%20%28Original%20full%20version%29.mp3'

File '…/cms/sources/catalogues2.php' Line '57' Function 'get_param' Args

'file'

File '…/cms/site/catalogue_file.php' Line '50' Function 'catalogue_file_script' Args


Last edit: by temp1024

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#70152
Avatar

Fix attached.

Attachment
sources/catalogues2.php
» Download: catalogues2.php (33 Kb, 83 downloads so far)


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#70157
Avatar

Community saint

Got an error on line 128 of the new script.

So I changed:

Code

   {*/

Code

   */{

Which looks like it did the trick. Is this the intended change?

Also, is there a file name size limit? And if so, I assume it just truncates it automatically.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#70158
Avatar

ah, that was due to another change that obviously went wrong. Your change is right.

It's a 255 character filename limit, and it'd give some kind of error if it went over that.

The issue you got was the parameter API limits (by default) what it will read in, to stop various forms of attack. Usually things like filenames don't go over URLs so this had to be made an exception.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#70163
Avatar

Community saint

OK, Thanks!

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#70164
Avatar

Community saint

F.Y.I. File names look to be right-truncated to 79 chars. Even accounting for URL and escaping it still comes nowhere near 255.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#70167
Avatar

I did forget to count the URL stub, so should be 235. Running a test now to see what happens and if it can be solved.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#70169
Avatar

It will raise if you upload this:
Attachment
sources/incoming_uploads.php
» Download: incoming_uploads.php (4 Kb, 84 downloads so far)

and put this into OcCLE:

Code

:$GLOBALS['SITE_DB']->alter_table_field('incoming_uploads','i_orig_filename','URLPATH');


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#70172
Avatar

Community saint

Works a treat, thanks Chris!

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: