Can't reply to post

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 1125 Views - Last Post: 18 June 2009 - 09:08 AM

#1 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Can't reply to post

Posted 14 June 2009 - 09:18 AM

I'm trying to add a reply to this thread. when I post it, I get this error:

Forbidden
You do not have permission to access this document.

Web Server at dreamincode.net 



The URL is simply "http://www.dreamincode.net/forums/index.php?"

Is something wrong with the forums? I've just posted here without a problem, and I can post responses in other threads; even in that same forum area.

This post has been edited by mikeblas: 14 June 2009 - 09:18 AM


Is This A Good Question/Topic? 1
  • +

Replies To: Can't reply to post

#2 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Re: Can't reply to post

Posted 14 June 2009 - 09:33 AM

I've managed to find that I can't make my post because of certain text. The text is:

gee
plus
plus
space
minus
cee
space
eff
oh
oh
dot
cee
pee
pee

all as regular characters, of course. If I try to make a post with that string, or edit the existing post with that string, then the preview or post buttons cause the error I describe above.

This seems like a pretty spectacular bug!
Was This Post Helpful? 2
  • +
  • -

#3 Jayman  Icon User is offline

  • Student of Life
  • member icon

Reputation: 418
  • View blog
  • Posts: 9,532
  • Joined: 26-December 05

Re: Can't reply to post

Posted 14 June 2009 - 10:52 AM

Actually not a bug, that is the word filter. Put a space somewhere in the word to break it up and you should be able to post it.
Was This Post Helpful? 0
  • +
  • -

#4 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1002
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: Can't reply to post

Posted 14 June 2009 - 10:58 AM

You can't post g+ + -c?

EDIT: Wow you can't :D

This post has been edited by MageUK: 14 June 2009 - 11:01 AM

Was This Post Helpful? 0
  • +
  • -

#5 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Re: Can't reply to post

Posted 14 June 2009 - 07:24 PM

View PostJayman, on 14 Jun, 2009 - 09:52 AM, said:

Actually not a bug, that is the word filter. Put a space somewhere in the word to break it up and you should be able to post it.

Word filter? A space in what word? "gc", "-c", or "foo.cpp"?


View PostMageUK, on 14 Jun, 2009 - 09:58 AM, said:

You can't post g+ + -c?

EDIT: Wow you can't :D

Yeah, it's very odd. You can post "g++" or "-c", but "g++space-c" gets you dumped at the "forbidden" page.
Was This Post Helpful? 0
  • +
  • -

#6 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1002
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: Can't reply to post

Posted 15 June 2009 - 02:36 AM

Okay that's really crap actually, I just tried to post this: http://www.mageuk.com/dic/kickie.txt and got the error, that's not informative so really doesn't help when you try to work out what's filtered.

Moreso, I have no idea what on earth would be filtered out of that........
Was This Post Helpful? 0
  • +
  • -

#7 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Re: Can't reply to post

Posted 16 June 2009 - 06:39 AM

Are you sure it's a word filter? Why would a word filter not take you to a page that says you've triggered the word filter, and why? Or, simply replace your words with some special characters, like hearts?

Dumping me at an undecorated error page feels more like a bug.

Meanwhile, I tried to post "m i n g 3 2 - g + + - g 0 f o o . c p p" without the extra spaces, and had the same bug again. Is anyone here who is able to help with this issue?

This post has been edited by mikeblas: 16 June 2009 - 06:45 AM

Was This Post Helpful? 1
  • +
  • -

#8 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1864
  • View blog
  • Posts: 20,278
  • Joined: 17-March 01

Re: Can't reply to post

Posted 16 June 2009 - 08:04 PM

The company we hire to secure our servers uses a very agressive ruleset for our application firewall. There are a few common commands (like the one you tried to post) that trigger our application firewall, which returns a 403 error. We have literally thousands of these a day from actual hackers trying to hack in to the site.

I hate to have to lock out hackers at the expense of legitimate posts/questions, but as of right now, we don't have a better way.
Was This Post Helpful? 0
  • +
  • -

#9 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Re: Can't reply to post

Posted 16 June 2009 - 09:32 PM

I'm lost. How is text in a post an attempt to hack?
Was This Post Helpful? 1
  • +
  • -

#10 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1002
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: Can't reply to post

Posted 17 June 2009 - 07:34 AM

It's not, I'd hire a different security company.

What exactly is going to execute commands under your web server? And your webserver should be 100% unpriviledged apart from reading (and if required, which for this type of site it really isn't apart from a 2 folders (avatar, attachments), writing) files.
Was This Post Helpful? 0
  • +
  • -

#11 Jayman  Icon User is offline

  • Student of Life
  • member icon

Reputation: 418
  • View blog
  • Posts: 9,532
  • Joined: 26-December 05

Re: Can't reply to post

Posted 17 June 2009 - 11:47 AM

Seriously, MageUK and mikeblas, where the hell have you been since the advent of the internet.

How the hell do you think hackers inject code into servers?

Quote

How is text in a post an attempt to hack?

All code is just text, until an application executes/compiles it.

Perhaps you have never heard of SQL Injection or Code Injection, although I find it difficult to believe that neither of you have ever heard of them.
Was This Post Helpful? 0
  • +
  • -

#12 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1002
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: Can't reply to post

Posted 17 June 2009 - 11:51 AM

I've ran and secured servers for a hell of a long time.... And by submitting "gcc -c" through POST lets code be injected?? Then something is extremely wrong with the server(s) and permissions.

It's like blocking rm -rf *.*, and I will soooooo laugh if this post fails to edit.

Oh it didn't, might be used for hacking!?!?!??!

I'm not going to argue, but if you're worried about SQL injection then you surely wouldn't allow any queries through your "filter" either. XSS doesn't work with IPB, nor if you sanitise data correctly, now I'm sure that a community for programmers will know how to code and takes care of this... Reminds me of the IT Guys from my old college, "we replaced firefox becos it's DANGEROUS!!!!!!!!!!!!!!!!!1".

/unsubscribe

This post has been edited by MageUK: 17 June 2009 - 12:03 PM

Was This Post Helpful? 0
  • +
  • -

#13 Jayman  Icon User is offline

  • Student of Life
  • member icon

Reputation: 418
  • View blog
  • Posts: 9,532
  • Joined: 26-December 05

Re: Can't reply to post

Posted 17 June 2009 - 06:22 PM

I am not sure why you think this is an argument, as I merely answered the question of the OP and then you came onboard and started getting all huffy about it.

The filters are in place for a reason, to help protect the DIC servers and the data they contain.

Personally, I don't understand why this is seems to be an issue with you. It is not like it was meant to make posting difficult for our members, it is just an added layer of protection.
Was This Post Helpful? 0
  • +
  • -

#14 firebolt  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 92
  • View blog
  • Posts: 5,561
  • Joined: 20-February 09

Re: Can't reply to post

Posted 17 June 2009 - 11:21 PM

Really, who cares. If its appropriate, then let the filter be so. Theres not much to it, I mean a few letters stringed together isnt going to drastically affect the way we live.
Was This Post Helpful? 0
  • +
  • -

#15 mikeblas  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 43
  • View blog
  • Posts: 390
  • Joined: 08-February 08

Re: Can't reply to post

Posted 18 June 2009 - 06:32 AM

View PostJayman, on 17 Jun, 2009 - 05:22 PM, said:

Personally, I don't understand why this is seems to be an issue with you.
It's an issue with me because it prevented me from posting until I reasoned out what the bug was.

View PostJayman, on 17 Jun, 2009 - 05:22 PM, said:

It is not like it was meant to make posting difficult for our members, it is just an added layer of protection.


Filtering doesn't avoid injection attacks; it simply blocks the ones that are known. (And in this case, also blocks legitimate text.) If this site blocks text like that in order to provide security, what text is it not blocking? A forum site that needs to carefully filter the content of posts in order to avoid injection attacks is simply not well-designed.

Binding, on the other hand, completely avoids injection attacks and treats data as data, never as executable content and entirely avoids the problem. It would be very remarkable if IPB was dynamically constructing and executing SQL strings out of the supplied post texts rather than binding them. In other words, yes: I know what injection is, and I also know simple techniques to completely avoid the attack vector.

While the intent might not have been to make posting difficult, that's precisely what it does ... all while failing to stop anything.

I think your tone is uncalled for, and your ad hominem approach is completely inappropriate. The act of politely answering a question doesn't start off with something like "where the hell have you been"?

This post has been edited by mikeblas: 18 June 2009 - 06:36 AM

Was This Post Helpful? 1
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2