When a url contains the word "echo" it's giving me a "500 Internal Server Error", even if it's a to a HTML file or a page that doesn't exist
|Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request jmraker.frih.org
It's ok to post with the word "echo", and the site doesn't have a .htaccess file
that's some safty thing bondings installed.
You'll have to think of another name for your files
I discovered it when a PHP script on my site didn't work when it tried to pass a parameter that contained the word "echo" in it. If the parameters are sent via GET as in http://www.site.com/script.php?name=Techo...&...&etc it failed and I reduced it down till I found the word "echo" was the fault, but if name=Techo is sent via POST it works. I like to make sure my scripts accept both types of parameters in their API
I stumbled upon another word that's causing problems "egg drop" (without the space cause I can't post the word in this forums without it)
http://www.jmraker.frih.org/?egg drop (remove the space)
but with that word, any POST or GET request containing that word becomes an Internal Server Error
There's a record in my database that my program can't edit in phpMyAdmin
Wikipedia says the thing is an IRC bot
Since I want this fixed if possible, is this post enough? cause the whole "echo" problem never got a response.
You say 'fixed' but it isn't actually a bug or a problem (apart from for you).
For once, it is actually a feature, put on for a very good purpose. I can't see it being removed unless there is a very good reason to do so.
I kind kind of see how a GET request would be acceptable to block, but I don't see how posting the word "egg drop" when it's part of another word. My program needs to edit a record with the word "Negg drop soup", it's a neopets item, the "echo" is for the various Techo items.
Is there a list of forbidden words and why they're forbidden?
I'm assuming "echo" is to prevent a specially hacked url to run the echo program to specify a page's contents, and egg drop is to I guess kill or something an IRC bot
but I don't think there's a way to specially hack the POST data to do that. Like if I type egg drop in this forum without the space at http://www.jmraker.frih.org/wordtest.php
[quote=Jmraker]I kind kind of see how a GET request would be acceptable to block, but I don't see how posting the word "egg drop" when it's part of another word. My program needs to edit a record with the word "Negg drop soup", it's a neopets item, the "echo" is for the various Techo items.[/quote]
Egg drop is name of an IRC bot program, with IRC bots being banned on Frihost. Although I can't see a reason for Bondings banning the phrase, unless aliens support censorship
"Echo" is probably banned to prevent newbies from writing scripts like http://newbie.frih.org/program.php?echo=XSSGOESHERE
With the code
drop is probably banned to avoid dropping database tables.
This kind of security is extra fun if you have some kind of seo urls for a forum or something, topics can easily be unreachable
|Peterssidan wrote: |
|drop is probably banned to avoid dropping database tables. |
PHP doesn't allow for multiple queries in a single mysql_query function, which protects from that anyway. Not sure how it is about pgsql or other database systems though, although they're not widely used anyway.
I just guessing that echo is forbidden because it might be possible to memory overload a GET request to trick the web server into calling the echo command, but of all the gnu/linux commands, it's not that dangerous.
A little googling found that someone had problems with someone running the bot on their server
In order for the forbidding of the egg**** word to be effective, it would assume the hackers are too lazy to change the name of the irc bot program, and isn't php locked down enough to prevent the bot
|jmraker wrote: |
|I just guessing that echo is forbidden because it might be possible to memory overload a GET request to trick the web server into calling the echo command, but of all the gnu/linux commands, it's not that dangerous. |
That.. really isn't possible.
|jmraker wrote: |
|In order for the forbidding of the egg**** word to be effective, it would assume the hackers are too lazy to change the name of the irc bot program, and isn't php locked down enough to prevent the bot |
PHP's security is more than ample; it's the admins (who here shouldn't be a problem) and users (who here are almost always the source problem) of it you need to worry about. Despite that, I cannot see how blocking URLs containing the word 'drop' will matter anyway and that there's any exploit PHP/Apache related here. I believe that Peterssidan was correct in assuming that it's related to SQL injection in some form or mutation
The forbidden word is "e g g d r o p" (without the spaces like "eggd rop"). I can't use that 7 letter word (no spaces that's "egg" then "drop") on my site, nor can I enter that word in this forum.
Apache is blocking the word like it does for "echo" but also with it's in POST requests instead of loading the HTML page or running the PHP program.
I don't think it has anything to do with SQL cause real databases shouldn't drop tables so easily, as it would require database username/password and the web server does not run the php program.
But I could be wrong and there's a dropping of the eggs SQL command.
|jmraker wrote: |
|I don't think it has anything to do with SQL cause real databases shouldn't drop tables so easily, as it would require database username/password and the web server does not run the php program. |
Another person ignorant of SQL injection.
*adds you to the score board*
What I meant was that based only on the parameters, apache shouldn't be running SQL commands before the web server runs the php program, and if apache did the database shouldn't drop the table without a user/pass which the hacker wouldn't know.
I looked up "SQL injection" and it's exactly what I know it is, where parameters to a program can alter a SQL command to the effect of it returning different data or running other SQL commands.
But the forbidden word is NOT "drop", it's the 7 letter word that's "e g g d r o p" (without the spaces), 'e-g-g-d-r-o-p' (without the dashes), "e.g.g.d.r.o.p" (without the period).
the word 4 letter word "drop" is not the forbidden word
mysql's documentation of that dangerous egg command for dropping tables is missing
I feel like such a jerk now, and I still don't see why blocking the name of an IRC bot could stop the bot from running which is the only logical reason why it would be on the list
Searching for eggdrop would've given you a result