[busterone]

As per this topic at simplemachines.org  http://www.simplemachines.org/community/index.php?topic=526259.msg3730305#msg3730305
Arantor suggested I post this here for the developers to take a look at. There is no apparent weakness, but the response to the url request was odd. I received a "sorry, SMF could not connect to the database" error upon attempting manually access this url.
Here is the url and error from the error log

Code Select Expand

http://www.thedemonsden.com/index.php?page[path]=http://www.google.com/humans.txt?&cmd=ls
Undefined offset: 0
File: /homepages/xxxxxxxxxxxxxxx/htdocs/forum/Sources/Subs-Db-mysql.php
Line: 103

I am using SMF 2.0.8, and simpleportal 2.3.5

I will include the installed mods list as well

Code Select Expand

1. SMF 2.0.8 Update 1.0 [ Uninstall ]
2. SMF 2.0.7 Update 1.0 [ Uninstall ]
3. Add IP2Location to Track IP 1.31 [ Uninstall ]
4. SMF 1.1.19 / 2.0.6 Update 1.0 [ Uninstall ]
5. Treasury 2.12 [ Uninstall ]
6. SMF 2.0.5 Update 1.0 [ Uninstall ]
7. Misc Anti Spam 1.0 [ Uninstall ]
8. Stupid bouncy BBC 1.0 [ Uninstall ]
9. SMF 2.0.4 Update 1.0 [ Uninstall ]
10. SMF 2.0.3 Update 1.0 [ Uninstall ]
11. Annoy User 1.2.2 [ Uninstall ]
12. SimplePortal 2.3.5 [ Uninstall ]
13. SMF 2.0.2 Update 1.0 [ Uninstall ]
14. SMF 2.0.1 Update 1.0 [ Uninstall ]
15. SMF4Mobile Mod 1.0 [ Uninstall ]
16. Sitemap 2.2.0 [ Uninstall ]
17. LMGTFY BBcode v2.2 2.2 [ Uninstall ]
18. Bookmarks 2.3 [ Uninstall ]
19. Spoiler Tag 0.7.2 [ Uninstall ]
20. PM Attachments 1.6 [ Uninstall ]
21. Custom Action Mod 3.2 [ Uninstall ]
22. httpBL 2.5.1 [ Uninstall ]
23. Stop Spammer 2.3.9 [ Uninstall ]
24. SMF Chess 2.1.4 [ Uninstall ]
25. SMF Staff Page 1.7 [ Uninstall ]
26. PM to New Members 1.2 [ Uninstall ]
27. Aeva ~ Auto-Embed Video & Audio 7.0 [ Uninstall ]
28. The Rules 1.2 [ Uninstall ]
29. Add Domaintools to TrackIP 1.1 [ Uninstall ]
30. Arcadeworld Template 2.4 [ Uninstall ]
31. E-Arcade Beta4-SMF2rc2


As stated in the original topic, there is no harm done and no access to the site period, it is simply the site response that is odd.

[Chen Zhen]

  Here is a patch for the specific issue you describe:

file: ../Sources/Subs-Portal.php

find:

Code Select Expand


if (!empty($_GET['page']) && (empty($context['current_action']) || $context['current_action'] == 'portal'))
$page_info = sportal_get_pages($_GET['page'], true, true);


replace with:

Code Select Expand


if (!empty($_GET['page']) && (empty($context['current_action']) || $context['current_action'] == 'portal'))
{
$page_info = (!empty($_GET['page'])) && !is_array($_GET['page']) ? $smcFunc['htmltrim']($_GET['page']) : 0;
if (preg_match('~[^A-Za-z0-9_]+~', $page_info) != 0 || preg_match('~[0-9]+~', $page_info) != 0)
fatal_lang_error('error_sp_page_not_found', false);

$page_info = sportal_get_pages($page_info, true, true);
}




  All I did here was more or less apply the filter Sinan put in the SP admin template to the page request entered in the url.


Regards.

[busterone]

Thanks Underdog.  I cleared the error log and waited 2 days and these bots came back for 5 shots at it again, then stopped. Obviously it wasn't getting them the results they wanted, and there was no security issue that I can see either. It seems that they must just be probing for a weakness through the page request.  Better safe than sorry though.

[[SiNaN]]

It turns out that the code we have does not account for certain cases. This will be fixed in our upcoming patch level release. Thank you for your report!

[busterone]

No problem at all. If the bots had not hammered away like they did, I probably would not have noticed it at all if it had only been a few errors in the log.   

[Chen Zhen]

busterone,

  Does the patch work as expected? (0 errors in log and incorrect page is directed to page not exist display)

[busterone]

Works perfect. No errors in error log and the forum does direct to "The page you requested cannot be found."  error page.

[[SiNaN]]

Fixed for the upcoming version.