Odd Forum search Error
Odd Forum search Error
If you go to Forum search and specify keyword 'telnet' it returns a nice list of hits.
If you click on any of the Topic titles you get "The server has experienced a temporary error. If the problem persists please contact website admin and be sure to mention what you were trying to access at the time."
I get this every time but only with the keyword 'telnet' everything else works as expected
If you click on any of the Topic titles you get "The server has experienced a temporary error. If the problem persists please contact website admin and be sure to mention what you were trying to access at the time."
I get this every time but only with the keyword 'telnet' everything else works as expected
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
telnet is a banned word on the servers mod_security when passed through the GET variable in a URL. The error shows only when you click the link as the word you searched for is passed in the variable "highlight" when you do so, thus placing it in the GET location. It is allowed on POST though, which is why you can post it in a forum.
Last edited by Kieran on Sun Jul 02, 2006 12:36 pm, edited 1 time in total.
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
I've seen you refernce this before Kiran - but I've never understood why certain words pose a security problem - can you give some more info. or point me at some "Light Reading for Dummies" ? - I guess it's a PHP thing ?Kieran wrote:telnet is a banned word on the servers mod_security when passed through the GET variable in a URL. The error shows only when you click the link as the word you searched for is passed in the variable "highlight" when you do so, thus placing it in the GET location. It is allowed on POST though, which is why you can post it in a forum.
Last edited by Shotokan101 on Sun Jul 02, 2006 1:26 pm, edited 1 time in total.
Jim
.....I'm Sorry But I Can't Do That Dave.....
.....I'm Sorry But I Can't Do That Dave.....
Kieran,
I get the same behaviour on your forum. I tried it as I wondered if it was a standard phpBB 'feature'??
I get the same behaviour on your forum. I tried it as I wondered if it was a standard phpBB 'feature'??
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@kieranoshea.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
Didn't see this before posting againKieran wrote:telnet is a banned word on the servers mod_security when passed through the GET variable in a URL. The error shows only when you click the link as the word you searched for is passed in the variable "highlight" when you do so, thus placing it in the GET location. It is allowed on POST though, which is why you can post it in a forum.
So is it just something to live with?
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
I think if you know what telnet is then its quite easy to see why you wouldn't want that command to execute in the servers unix shell with arguments from an unauthorised source.
Essentially telnet (or ssh) has the ability to connect the server on which the command is executed to another and then pass data and more importantly commands. This could be used to take remote control of the server, not something I really want to contemplate
Sy, no, its not phpBB specific, it is simply based on POST and GET requests containing certain commands being restricted.
Essentially telnet (or ssh) has the ability to connect the server on which the command is executed to another and then pass data and more importantly commands. This could be used to take remote control of the server, not something I really want to contemplate
Sy, no, its not phpBB specific, it is simply based on POST and GET requests containing certain commands being restricted.
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
OK. All understood.
It's a bit odd though. Given the nature of the forum some of the keywords likely to be used are the ones that are banned.
Is it possible to put an explanation in the error message returned?
It's a bit odd though. Given the nature of the forum some of the keywords likely to be used are the ones that are banned.
Is it possible to put an explanation in the error message returned?
We learn something every day, and lots of times it’s that what we learned the day before was wrong.
—Bill Vaughan
—Bill Vaughan
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
This is history repeating: viewtopic.php?t=279
Although I can forgive you because it would have thrown up an error when you clicked on the results
When a result for a telnet search is returned, the link might be something like:
It's the which is produces the error, so if you manually remove that from the address box it works fine
Although I can forgive you because it would have thrown up an error when you clicked on the results
When a result for a telnet search is returned, the link might be something like:
Code: Select all
https://www.routertech.org/viewtopic.php?t=279&highlight=telnet
Code: Select all
&highlight=telnet
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
That's one possible solution
I first reported the problem for another keyword back in March...then Kieran did some tweaking to sort it out. I think each keyword (there are several) needs to be dealt with accordingly...
viewtopic.php?p=416#416
viewtopic.php?p=657#657
I first reported the problem for another keyword back in March...then Kieran did some tweaking to sort it out. I think each keyword (there are several) needs to be dealt with accordingly...
viewtopic.php?p=416#416
viewtopic.php?p=657#657
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
- Shotokan101
- RouterTech Team
- Posts: 4779
- Joined: Thu Jan 26, 2006 3:17 pm
- Location: Glasgow, Scotland
Words need to be dealt with individuallt because each is a command in a unix shell and so if you wish to enable a word you have to weigh up the security implications and sometimes add some additional security to allow it to be submitted but not pose a risk. Sometimes a banned word has to stay irrespective of its annoyance to users too I'm afraid.
As a result a message is now dispalyed along with the standard server error to indicate that a word in your post/search/link may have caused the error. Locked.
As a result a message is now dispalyed along with the standard server error to indicate that a word in your post/search/link may have caused the error. Locked.
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!