FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Having the word "echo" in the url gives me an erro





jmraker
http://jmraker.frih.org/index.html?echo
http://jmraker.frih.org/echo

When a url contains the word "echo" it's giving me a "500 Internal Server Error", even if it's a to a HTML file or a page that doesn't exist

Code:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request jmraker.frih.org


It's ok to post with the word "echo", and the site doesn't have a .htaccess file
rvec
that's some safty thing bondings installed.
You'll have to think of another name for your files
jmraker
I discovered it when a PHP script on my site didn't work when it tried to pass a parameter that contained the word "echo" in it. If the parameters are sent via GET as in http://www.site.com/script.php?name=Techo...&...&etc it failed and I reduced it down till I found the word "echo" was the fault, but if name=Techo is sent via POST it works. I like to make sure my scripts accept both types of parameters in their API
jmraker
I stumbled upon another word that's causing problems "egg drop" (without the space cause I can't post the word in this forums without it)

http://www.jmraker.frih.org/?egg drop (remove the space)

but with that word, any POST or GET request containing that word becomes an Internal Server Error
There's a record in my database that my program can't edit in phpMyAdmin

Wikipedia says the thing is an IRC bot

Since I want this fixed if possible, is this post enough? cause the whole "echo" problem never got a response.
mathiaus
You say 'fixed' but it isn't actually a bug or a problem (apart from for you).

For once, it is actually a feature, put on for a very good purpose. I can't see it being removed unless there is a very good reason to do so.
jmraker
I kind kind of see how a GET request would be acceptable to block, but I don't see how posting the word "egg drop" when it's part of another word. My program needs to edit a record with the word "Negg drop soup", it's a neopets item, the "echo" is for the various Techo items.

Is there a list of forbidden words and why they're forbidden?

I'm assuming "echo" is to prevent a specially hacked url to run the echo program to specify a page's contents, and egg drop is to I guess kill or something an IRC bot

but I don't think there's a way to specially hack the POST data to do that. Like if I type egg drop in this forum without the space at http://www.jmraker.frih.org/wordtest.php
Hogwarts
[quote=Jmraker]I kind kind of see how a GET request would be acceptable to block, but I don't see how posting the word "egg drop" when it's part of another word. My program needs to edit a record with the word "Negg drop soup", it's a neopets item, the "echo" is for the various Techo items.[/quote]
Egg drop is name of an IRC bot program, with IRC bots being banned on Frihost. Although I can't see a reason for Bondings banning the phrase, unless aliens support censorship Shocked

"Echo" is probably banned to prevent newbies from writing scripts like http://newbie.frih.org/program.php?echo=XSSGOESHERE

With the code
Code:

<?php
echo $get['echo'];
?>


Which would end up being XSS exploits (People could freely post malicious JavaScript in them/etc.)
Peterssidan
drop is probably banned to avoid dropping database tables.

This kind of security is extra fun if you have some kind of seo urls for a forum or something, topics can easily be unreachable Wink
Hogwarts
Peterssidan wrote:
drop is probably banned to avoid dropping database tables.


That's weird Neutral

PHP doesn't allow for multiple queries in a single mysql_query function, which protects from that anyway. Not sure how it is about pgsql or other database systems though, although they're not widely used anyway.
jmraker
I just guessing that echo is forbidden because it might be possible to memory overload a GET request to trick the web server into calling the echo command, but of all the gnu/linux commands, it's not that dangerous.

A little googling found that someone had problems with someone running the bot on their server
http://groups.google.com/group/apache-security-tips/browse_thread/thread/b8737aa6c5fb1c32

In order for the forbidding of the egg**** word to be effective, it would assume the hackers are too lazy to change the name of the irc bot program, and isn't php locked down enough to prevent the bot
Hogwarts
jmraker wrote:
I just guessing that echo is forbidden because it might be possible to memory overload a GET request to trick the web server into calling the echo command, but of all the gnu/linux commands, it's not that dangerous.

That.. really isn't possible.

At all.

Period.

Razz


jmraker wrote:
In order for the forbidding of the egg**** word to be effective, it would assume the hackers are too lazy to change the name of the irc bot program, and isn't php locked down enough to prevent the bot

PHP's security is more than ample; it's the admins (who here shouldn't be a problem) and users (who here are almost always the source problem) of it you need to worry about. Despite that, I cannot see how blocking URLs containing the word 'drop' will matter anyway and that there's any exploit PHP/Apache related here. I believe that Peterssidan was correct in assuming that it's related to SQL injection in some form or mutation
jmraker
The forbidden word is "e g g d r o p" (without the spaces like "eggd rop"). I can't use that 7 letter word (no spaces that's "egg" then "drop") Smile on my site, nor can I enter that word in this forum.

Apache is blocking the word like it does for "echo" but also with it's in POST requests instead of loading the HTML page or running the PHP program.

I don't think it has anything to do with SQL cause real databases shouldn't drop tables so easily, as it would require database username/password and the web server does not run the php program.

But I could be wrong and there's a dropping of the eggs SQL command. Laughing
Hogwarts
jmraker wrote:
I don't think it has anything to do with SQL cause real databases shouldn't drop tables so easily, as it would require database username/password and the web server does not run the php program.


Another person ignorant of SQL injection.

*adds you to the score board* Sad
jmraker
What I meant was that based only on the parameters, apache shouldn't be running SQL commands before the web server runs the php program, and if apache did the database shouldn't drop the table without a user/pass which the hacker wouldn't know.

I looked up "SQL injection" and it's exactly what I know it is, where parameters to a program can alter a SQL command to the effect of it returning different data or running other SQL commands.

But the forbidden word is NOT "drop", it's the 7 letter word that's "e g g d r o p" (without the spaces), 'e-g-g-d-r-o-p' (without the dashes), "e.g.g.d.r.o.p" (without the period).

the word 4 letter word "drop" is not the forbidden word

mysql's documentation of that dangerous egg command for dropping tables is missing
http://search.mysql.com/search?q=eggdro&ie=&lr=lang_en&x=0&y=0

Sad I feel like such a jerk now, and I still don't see why blocking the name of an IRC bot could stop the bot from running which is the only logical reason why it would be on the list
rvec
jmraker wrote:

mysql's documentation of that dangerous egg command for dropping tables is missing
http://search.mysql.com/search?q=eggdro&ie=&lr=lang_en&x=0&y=0

Searching for eggdrop would've given you a result Razz
Related topics
Isaac Asmoiv
How To : Improve Your PHP Programming
China Against the Internet
I need help setting up a default index file?
Top Ten in PHP
What kinds of forum as a web designer so you use?
Things that are NOT allowed to be sold
1-888-5-OPTOUT
Quantum Physics
JESUS' burial site found!!! - Not resurrected!?
search, a bit contextual in php
Bible study
Firefox gives up on proper software version numbers
removing DirectAdmin part of URL makes php code work
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Frihost Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.