smd_prognostics: monitor your Txp installation for suspicious activity

jakob · 2010-11-21 12:48:15

Roelof, I suggest creating a dedicated folder for the “prognostics settings” rather than your root folder, and then try the settings out, first 755, then if that doesn’t work 775, and if that still doesn’t work 777.

To check if it works, follow Stef’s advice above:

So after you have tried to Save the Files, please use your FTP program to verify that the smd_prgnostics_checksums.txt file has been created in the place you have defined.

roelof · 2010-11-22 15:09:56

Hello,

I tried al three without any success.
I made a directory test and gave it first 755 then 775 and then 777 but still if I change the prognotics folder it will change back to the directory textpattern.

Bloke, I could give you access as soon as I know a mail adress to which I can send on the password.

Roelof

Bloke · 2010-12-09 09:04:57

New version 0.15 released. Features:

Improved warning display when saving preferences (thanks maniqui)
Skipped comment preview step for SQL injections (helps prevent false positives and massively cuts down the number of frognostic alerts)
Fixed version number in frognostics
Fixed display error on Advice panel
Added sql_injection callback
Added RPC advice check

I’ll have a go at tackling the performance of unmonitored file additions next.

roelof · 2010-12-09 09:24:02

Hello Bloke,

This version I have the same problem and I get no error messages.
So I hope we can solve this annoying problem.

Roelof

Bloke · 2010-12-09 11:40:44

roelof wrote:

This version I have the same problem and I get no error messages.

Please send me a login to your site and I’ll see if I can figure it out later. You should see an e-mail link below my avatar on the forum.

roelof · 2010-12-09 11:46:10

Oke,

I send you a pm with all the data.

Roelof

Bloke · 2010-12-09 18:49:37

Thanks roelof. Found the bug and fixed it. The problem was that the prefs weren’t being saved at all. Try v0.16

Note to self: never assume that the button names are going to be sent to the plugin in English. Stupid mistake on my part, really sorry.

roelof · 2010-12-13 12:16:28

Hello Bloke.

Sorry for the late respons.
But everything is working fine.
So may thanks for the help.

Roelof

Bloke · 2010-12-30 21:47:43

Version 0.17 released. Adds one bug fix (see later) and one new feature: the ability to control the sensitivity of the SQL injection.

On some of my sites I noticed that I was receiving large numbers of frognostics reports when spammers were commenting. Although the plugin doesn’t trip on preview (which helps reduce the quantity of reports) I was still getting more than I liked. So I took a trip through the code and found that the SQL injection routine checks for words such as select, union, from and -- appearing in strategic locations in every request. On sites that have comments enabled, this results in large numbers of posts being erroneously flagged as SQL injections.

This situation is not ideal and I think it needs a long-term rethink, but as a stop-gap I’ve implemented a sensitivity setting. The value(s) you put in the Sensitivity box determine how many “bad words” are permitted in a submission before it triggers the injection warning (you are still free to bypass this entirely with your own plugin if you wish). The default of 1 is the most sensitive. Raise this value to make it less sensitive but at the expense of possibly missing one or two real injection attacks. Your call.

I’ve made it possible to set separate sensitivities for GET and POST requests. In general you’ll want GET requests to be at 1 because any dodgy URL params need to be dealt with swiftly and decisively. If you are doing some clever, custom URL manipulation (maniqui: I’m looking at you!) it might be useful to raise this value. Similarly, if you have enabled comments on your site you might want to raise the POST value a little so someone who innocently adds a couple of -- Textile marks isn’t penalised.

In general I’d advise that a regular TXP site with comments enabled uses a sensitivity of 1, 3 or 1, 4. Season to taste. If you don’t use comments, by all means set the POST sensitivity to 1 as well (note that if you use a single value it applies to both GET and POST requests).

This version also fixes a daft bug that I introduced in v0.16 whereby your settings would be wiped out if you clicked ‘Setup’ from the Prognostics subtab. Apologies for that stupid oversight. I hope it hasn’t caused too much grief.

Hope you all have a Happy New Year.

maverick · 2011-03-27 23:07:10

Error on “Admin -> Import” tab.

First saw it after Txp 4.4.0 upgrade, but rarely go to the import tab so it could have been present prior.

Notice: Undefined offset: 1 in /home/maverick/textpattern/textpattern/lib/txplib_misc.php(653) : eval()’d code on line 94

v0.16 and v0.17 both yield same result.

Multi-site install.

Bloke · 2011-03-27 23:21:18

maverick wrote:

Notice: Undefined offset: 1 in /home/maverick/textpattern/textpattern/lib/txplib_misc.php(653) : eval()’d code on line 94

Weird, check the value of your prognostics pref called “Check files between” (if you want to delve deeper, it’s stored in the prefs table as smd_prognostics_check_between).

If you’ve only got one entry (i.e. just in the first box) then you’ll see that message… and others… but not just on the import tab: pretty much everywhere. Thing is, the plugin is supposed to guard against this and if one of the boxes is empty it should fill it in for you with either 00:00 or 23:59. You haven’t got a rogue space in the box or something have you?

Last edited by Bloke (2011-03-27 23:21:45)

maverick · 2011-03-27 23:44:52

Bloke wrote:

but not just on the import tab: pretty much everywhere.

Strange as it is, it was only showing on the Import tab.

check the value of your prognostics pref called “Check files between” (if you want to delve deeper, it’s stored in the prefs table as smd_prognostics_check_between).

Okay – the cause of the error makes sense, but the why there was a cause does not.

All the preferences were gone. The situation was the same on both of the sites I’ve checked so far. Both of which had been functioning in the past (though I realize now in retrospect that it has been a while since I remember a report being emailed to me.)

So a simple save filled in the the check between preference and the error is gone. But I’ve no clue where the previous settings went.

Mike

p.s. – when I check the database, I don’t see a smd_prognostic listed. So I can check on it, where in the database does it save its preferences? Thanks.

Last edited by maverick (2011-03-27 23:46:23)

Textpattern CMS

Textpattern CMS support forum

#61 2010-11-21 12:48:15

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#62 2010-11-22 15:09:56

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#63 2010-12-09 09:04:57

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#64 2010-12-09 09:24:02

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#65 2010-12-09 11:40:44

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#66 2010-12-09 11:46:10

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#67 2010-12-09 18:49:37

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#68 2010-12-13 12:16:28

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#69 2010-12-30 21:47:43

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#70 2011-03-27 23:07:10

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#71 2011-03-27 23:21:18

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#72 2011-03-27 23:44:52

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Board footer