i seem to have found a bug or "logic defect" in the http server code... in my error.log, i see things like this...
Wed May 15 2019 10:21:18 sestar.synchro.net
web 0068 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: dove-syncjs', Request: /msgs/msg.ssjs?msg_sub=dove-syncjs'&message=87'"
Wed May 15 2019 10:21:19 sestar.synchro.net
web 0068 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: dove-syncjs2121121121212.1, Request: /msgs/msg.ssjs?message=87&msg_sub=dove-syncjs2121121121212.1
Wed May 15 2019 10:21:19 sestar.synchro.net
web 0068 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: dove-syncjs and 1=1, Request: /msgs/msg.ssjs?message=87&msg_sub=dove-syncjs%20and%201%3D1
in the web logs, i see this...
185.98.7.178 - - [15/May/2019:10:21:18 -0400] "GET /msgs/msg.ssjs?msg_sub=dove-syncjs'&message=87'" HTTP/1.1" 200 97 "-" "-"
185.98.7.178 - - [15/May/2019:10:21:19 -0400] "GET /msgs/msg.ssjs?message=87&msg_sub=dove-syncjs2121121121212.1 HTTP/1.1" 200 111 "-" "-"
185.98.7.178 - - [15/May/2019:10:21:19 -0400] "GET /msgs/msg.ssjs?message=87&msg_sub=dove-syncjs%20and%201%3D1 HTTP/1.1" 200 104 "-" "-"
in the web browser, when i try one of these bad requests, i see this for the first one with the "'" characters around the "message=" part...
!JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: dove-syncjs'
problems:
1. the web server is returning a 200 code for these bad requests.
it should be returning a 403 or 404 instead.
2. the text emitted to the requester is leaking directory information
which gives out our installation layout. that's bad OPSEC. we
should not be leaking our directory structure and file names.
3. the report logged in error.log stops at the first "'".
granted, it does report the whole requested URL at the end of the
line but the "Error:" portion before the "Request:" portion does not.
i'm thinking that the web server should be returning a "403 Forbidden" or "404 Not Found" instead of the current 200 code and the "!JavaScript" error output... possibly, instead of just a plain 404 code, we can have our own 404 substatus codes to send back? i'm not sure what we could/should send back that would not give out too much information and cause the requester to take even more interest in the site... the idea of substatus codes comes from
https://en.wikipedia.org/wiki/HTTP_404 and i'm not aware of anything saying we cannot issue our own substatus codes in the same fashion that m$ has done with IIS...
i'm considering writing a rule for my IDS (snort) to catch these requests and block the offending IP... i can currently do that by intercepting the javascript error that is currently being transmitted to the requester... if/when the described problem is fixed in the code, that IDS detection won't work any more but that's fine... currently i'm considering to look for the "msg.ssjs line 20:" text but it may be better to just look for the "!JavaScript" text... if we use substatus codes, i can just as easily catch them... for instance, i could easily catch a "404.1 Invalid msgbase code" response :) either way, the main goal is to catch hacking attempts and block the offender at the perimeter firewall...
it doesn't really matter if we do add substatus codes or not but it would make my automatic detection and blocking easier to handle... i could just as easily look for invalid forms dug out from my logs and catch them on the inbound so as
to block immediately instead of waiting on the server response... in that case,
the server might see the request followed by an immediate loss of the connection which may also be followed by TCP/IP RST traffic where my detection is resetting the connection like some ISPs do when detecting torrents and similar...
)\/(ark
Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... REAL Sysops disconnect the Speaker!
---
* Origin: (1:3634/12.73)