1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

user/forum admin blocked again and again - ALERT - ASCII-NUL chars not allowed

Discussion in 'General Discussion' started by jols, Aug 21, 2009.

  1. jols

    jols Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,098
    Likes Received:
    2
    Trophy Points:
    38
    We have a hosted customer who is maintaining a UBB forum, but is being blocked again and again with the resulting log entire below:

    [Fri Aug 21 12:10:59 2009] [error] [client 74.195.252.71] ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ubbt_admin' (attacker '74.195.252.71', file '/home/[userid]/public_html/[path to the forum admin script]'), referer: Home[path to the forum admin script]

    I am also finding this in the /var/messages logs:

    Aug 21 12:20:35 pulsar suhosin[24306]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ubbt_admin' (attacker '74.195.252.71', file '/home/[userid]/public_html/[path to the forum admin script]')

    The hosted members claims to be on a PC that is currently virus free, although earlier in the month he had some cleanup to do in this regard.

    Any idea what could be going on here?

    Thanks much!
     
  2. sanjuabrahamk

    sanjuabrahamk Member

    Joined:
    Jan 26, 2006
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    Please make sure that you are using the latest version of the application.
     
  3. jols

    jols Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,098
    Likes Received:
    2
    Trophy Points:
    38
    Thanks, but they are using the most recent version of UBB.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,123
    Likes Received:
    33
    Trophy Points:
    48
    Location:
    Pennsylvania
    Isn't this your answer?

    Aug 21 12:20:35 pulsar suhosin[24306]:
     
  5. alwaysweb

    alwaysweb New Member

    Joined:
    Mar 8, 2002
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dallas, TX
    Here's a suggestion. Try editing the suhosin settings to allow the ASCI-NULL. Edit your /usr/local/lib/php.ini and add this in the [suhosin] section:

    suhosin.cookie.disallow_nul = Off
    suhosin.get.disallow_nul = Off
    suhosin.post.disallow_nul = Off
    suhosin.request.disallow_nul = Off

    Then restart apache and see if that helps.
     
  6. jols

    jols Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,098
    Likes Received:
    2
    Trophy Points:
    38
    Thanks very much for your help alwaysweb!

    However, I have a (potentially stupid) question:

    Won't this make the server less secure?
     
  7. alwaysweb

    alwaysweb New Member

    Joined:
    Mar 8, 2002
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dallas, TX
    I dont' know of any attacks that use asci-null characters directly, but i'm sure there are some. Really we're just disabling a few rules that are causing false positives. However, its up to you. Its a balance between security and convenience (or usability).
     

Share This Page