Elxis CMS Forum
Support => Security => Topic started by: timalsina on September 02, 2014, 10:14:02
-
When CSS/Javascript minifier enabled, http://domain.com/inner.php/minify/6e22fc9f6772737f33b9aa7cd32ddd26.css
throws following error:
ECURITY ALERT
Request dropped!
I think you are a bad boy.
Reference code: SEC-DEFB-0002
Sorry for the inconvenience.
Due to this the css and js are not rendering in the page. Disabling CSS/Javascript minifier loads the regular css and js files as expected. The above case applies to all security levels when minifier and minifier+GZip compression enabled for CSS or JS files.
-
This security message is displayed when your IP address have not set or it is an empty string. Have you tried to do the same process with another browser? I believe that something change your IP address. Maybe a browser's add-on or something else?
-
"SEC-DEFB-0002" means that you have already been banned by the Defender. Clear your ban and show us the first message you get.
-
I looked for "I think you are a bad boy" expression. ;D
-
Followed the instructions provided, does not work.
Completely deleted Elxis and re-installed fresh copy. Tried both: repository in webroot and above webroot. Still the same error. Did further log checking and turns out apache throws 403 error while accessing /inner.php/minify/6e22fc9f6772737f33b9aa7cd32ddd26.css
What could be the problem?
-
Further findings - it was Varnish cache causing 403 forbidden. The sysadmins @ cloudservers will get back to me once they have a working resolution. For the time being Varnish cache will be turned off for Elxis powered site.
-
This issue has been resolved.
-
Hi there,
this issue is occurring for some visitors to our website. Their IP Address is not on the Defender Ban list. I tried turning off all minify and compression of CSS and JS but this does not solve the problem. They do not get the error on iPad - only desktop. Please explain how to remove the link 'I think you are a bad boy' - this looks very unprofessional. Many thanks!
-
The message regarding the "bad boy" is been displayed when the IP address of the visitor is invalid or empty.
Elxis Defender tries to get the IP address with these $_SERVER super global variables: HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR
The validation is performed with the standard PHP filter_var function and the FILTER_VALIDATE_IP flag.
Requires testing with the user having the problem to tell you how to fix it.
Disable Elxis Defender if you can't solve the problem.
-
Hi, does this make the website very vulnerable if Elxis Defender is switched off?
Can you tell me which file the 'bad boy' message is in, we would really like to change this wording as it looks bad to this company.
-
You could change that message if you edit the file defender.class.php under the folder: /includes/libraries/elxis/ at line: 82.
-
Thanks! by the way - the people in this company that cannot access the site, they say they CAN access it if they go https instead of http ? Does this make any sense to you?
-
the company is saying they don't get this error on any other sites, so why do they need to change anything regarding IP address just for this site? any advice on what to say to them?
-
Elxis is secure enough with Defender disabled. Defender is just an additional protection layer which blocks some requests before reaching the site. If you disable it these requests will reach the site but this does not mean that will harm it. Elxis has not known security problem. I didn't understood the last question you wrote.
-
Ok, thanks. The last question was - they are getting this 'bad boy' message and their opinion is 'we can visit all other sites ok - why do we have to take any action for your site' but regarding your previous explanation I understand they should do something regarding their IP?
-
You can do a test to help me fix this problem for you.
Create a file "test.php" and put it in your Elxis root folder.
Write in it:
<html>
<body>
<pre>
<?php print_r($_SERVER); ?>
</pre>
</body>
</html>
Tell one of the people having problem to visit this page (eg http://www.example.com/test.php), save it as html or text document and mail it to me or copy-paste it here.
-
Ok, great thanks, I have created this file and passed on the instruction. Sorry, didn't see your reply until now.
Happy Christmas!
-
Hi datahell,
here is the text that appears:
Array
(
[PATH] => /usr/local/bin:/usr/bin:/bin
[SCRIPT_NAME] => /test.php
[REQUEST_METHOD] => GET
[HTTP_ACCEPT] => */*
[SCRIPT_FILENAME] => /home/users/web/b1129/pow.seadhna/htdocs/ihrb/test.php
[HTTP_X_SAUCER] => KhKTXw6nmxS8sQ/vTyETiib9zQ==
[SERVER_SOFTWARE] => Apache/2
[REMOTE_PORT] => 61200
[HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3; Crossrail)
[HTTP_CACHE_CONTROL] => max-age=259200
[HTTP_ACCEPT_LANGUAGE] => en-gb
[GATEWAY_INTERFACE] => CGI/1.1
[SCRIPT_URL] => /test.php
[DOCUMENT_ROOT] => /home/users/web/b1129/pow.seadhna/htdocs/ihrb
[HTTP_VIA] => 1.1 ClientSiteProxy:3128 (squid/2.7.STABLE4), 1.0 proxy-1_15 (squid/3.3.9), 1.1 cache-1:80
[UNIQUE_ID] => VJpyngoBcEkAAEgW1kUAAAAV
[SERVER_NAME] => www.ihrb.org
[SERVER_ADMIN] => cgiadmin@yourhostingaccount.com
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_CONNECTION] => keep-alive
[SCRIPT_URI] => http://www.ihrb.org/test.php
[SERVER_PORT] => 80
[REMOTE_ADDR] => 193.109.254.24
[SERVER_PROTOCOL] => HTTP/1.1
[HTTP_X_FORWARDED_FOR] => 10.186.54.46, 62.60.16.91
[REQUEST_URI] => /test.php
[HTTP_X_TEACUP] => eFDRD1LN2Ejj+hu9
[HTTP_HOST] => www.ihrb.org
[TZ] => EST5EDT
[PHP_SELF] => /test.php
[REQUEST_TIME] => 1419408030
[argv] => Array
(
)
[argc] => 0
)
-
The problem is that you connect to the internet through multiple proxies. HTTP_X_FORWARDED_FOR contains more than one IP addresses.
I will have a solution for you in a few minutes.
-
Problem solved. An updated Elxis 4.2 released also containing a fix for this problem.
Read the official announcement (https://forum.elxis.org/index.php?topic=8187.msg53377#msg53377) and update your site to 4.2 rev1644 by following the instructions in that post.
-
Thanks datahell! I will confirm if user responds that they are now able to access the site. Thanks again!
-
Elxis informatie
Platform Elxis
Versie 4.2
Revisie nummer 1644
Code naam Icarus
Statement from the provider (one.com):
We use SNI (Server Name Indication) which enables multiple websites to run on the same IP number. SNI is not supported by Internet Explorer on Windows XP meaning that the (very low number of) users running Internet Explorer on Windows XP will not be able to take advantage of SSL on your website.
I have run the test script you provided:
[PATH] => /usr/local/bin:/usr/bin:/bin
[ONECOM_DOMAIN_NAME] => onsnet.be
[ONECOM_DOMAIN_ROOT] => /customers/5/f/a/onsnet.be/
[PHP_INI_SCAN_DIR] => /customers/5/f/a/onsnet.be//config/conf.d.php
[ONECOM_TMPDIR] => /customers/5/f/a/onsnet.be//tmp
[FCGI_ROLE] => RESPONDER
[ONECOM_CLIENT_IP] => 83.134.146.205
[DOCUMENT_ROOT] => /customers/5/f/a/onsnet.be/httpd.www
[ONECOM_DOCUMENT_ROOT] => /customers/5/f/a/onsnet.be/httpd.www
[WEBC_USER_DOCUMENT_ROOT] => /customers/5/f/a/onsnet.be/httpd.www
[DOMAIN_NAME] => onsnet.be
[WEBC_USER_DOMAIN_NAME] => onsnet.be
[HTTPS] => on
[HTTP_HOST] => www.onsnet.be
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[HTTP_COOKIE] => e17e5ee70a6057d4cf433815dbe16d8b07ccf614=f9839aa0369906c0c1e143c506330547bd5250b2; rp=10
[HTTP_USER_AGENT] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5
[HTTP_ACCEPT_LANGUAGE] => nl-nl
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_SSL_CIPHER] => TLSv1.2/AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
[HTTP_X_ONECOM_FORWARDED_IP] => 83.134.146.205
[HTTP_X_ONECOM_FORWARDED_PROTO] => https
[HTTP_X_FORWARDED_FOR] => 83.134.146.205, 127.0.0.1
[HTTP_X_VARNISH] => 9615329
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache
[SERVER_NAME] => www.onsnet.be
[SERVER_ADDR] => 10.246.64.104
[SERVER_PORT] => 80
[REMOTE_ADDR] => 83.134.146.205
[SERVER_ADMIN] => support@one.com
[SCRIPT_FILENAME] => /customers/5/f/a/onsnet.be/httpd.www/test.php
[REMOTE_PORT] => 64614
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /test.php
[SCRIPT_NAME] => /test.php
[HTTP_CONNECTION] => close
[CONTENT_LENGTH] => 0
[PHP_SELF] => /test.php
[REQUEST_TIME] => 1422258178
And still get the error:
Reference code: SEC-DEFB-0002
This happens only when I use https
When I use http, all is working fine
-
IP validation fails. Elxis uses the standard filter_var function by PHP, so it is not Elxis' fault. Most probably the problem is the shared IP address by SNI setup on your server. To propose you a solution I need access to your site's FTP to perform some tests.
To bypass the problem open this file:
includes/libraries/elxis/defender.class.php
and comment lines 81-83:
//if (($this->address == '') || !filter_var($this->address, FILTER_VALIDATE_IP)) {
// exitPage::make('security', 'DEFB-0002', 'I think you are a bad boy.');
//}
Note: You might also need to comment the next 3 lines (84-86).
-
Thank you for the very fast response.
I have commented line 81-83
It works perfect!
I'm already happy with the result!
Thanks again