user/forum admin blocked again and again - ALERT - ASCII-NUL chars not allowed

**jols** · 08-21-2009 04:41 PM

We have a hosted customer who is maintaining a UBB forum, but is being blocked again and again with the resulting log entire below:

[Fri Aug 21 12:10:59 2009] [error] [client 74.195.252.71] ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ubbt_admin' (attacker '74.195.252.71', file '/home/[userid]/public_html/[path to the forum admin script]'), referer: Home[path to the forum admin script]

I am also finding this in the /var/messages logs:

Aug 21 12:20:35 pulsar suhosin[24306]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ubbt_admin' (attacker '74.195.252.71', file '/home/[userid]/public_html/[path to the forum admin script]')

The hosted members claims to be on a PC that is currently virus free, although earlier in the month he had some cleanup to do in this regard.

Any idea what could be going on here?

Thanks much!

**sanjuabrahamk** · 08-21-2009 05:32 PM

Please make sure that you are using the latest version of the application.

**jols** · 08-23-2009 12:48 AM

Thanks, but they are using the most recent version of UBB.

**Infopro** · 08-23-2009 06:09 AM

Isn't this your answer?

Aug 21 12:20:35 pulsar suhosin[24306]:

**alwaysweb** · 10-07-2009 01:03 PM

Here's a suggestion. Try editing the suhosin settings to allow the ASCI-NULL. Edit your /usr/local/lib/php.ini and add this in the [suhosin] section:

suhosin.cookie.disallow_nul = Off
suhosin.get.disallow_nul = Off
suhosin.post.disallow_nul = Off
suhosin.request.disallow_nul = Off

Then restart apache and see if that helps.

**jols** · 10-08-2009 03:53 PM

Originally Posted by alwaysweb

Here's a suggestion. Try editing the suhosin settings to allow the ASCI-NULL. Edit your /usr/local/lib/php.ini and add this in the [suhosin] section:

suhosin.cookie.disallow_nul = Off
suhosin.get.disallow_nul = Off
suhosin.post.disallow_nul = Off
suhosin.request.disallow_nul = Off

Then restart apache and see if that helps.

Thanks very much for your help alwaysweb!

However, I have a (potentially stupid) question:

Won't this make the server less secure?

**alwaysweb** · 10-08-2009 04:41 PM

I dont' know of any attacks that use asci-null characters directly, but i'm sure there are some. Really we're just disabling a few rules that are causing false positives. However, its up to you. Its a balance between security and convenience (or usability).

LinkBack

Thread Tools

user/forum admin blocked again and again - ALERT - ASCII-NUL chars not allowed

User-defined functions NOT allowed by my host?

Change max allowed user id chars?

To Nick / Cpanel Forum Admin