Hallo,
in the apache logfiles of my Wiki
I find sometimes such lines (shortened):
"GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301 "GET /Wiki/index.php?title=Http://example.tld/some-side.htm%3F HTTP/1.1" 200
They always differ in "[Hh]ttp" and in "htm(?|%3F)", the second line is always accepted from Mediawiki.
I had updated Mediawiki last week to 1.12.0 - no change.
Is that a behaviour which may be dangerous?
Viele Gruesse! Helmut
Helmut Hullen wrote:
"GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301 "GET /Wiki/index.php?title=Http://example.tld/some-side.htm%3F HTTP/1.1" 200
That's spam. Example.tld is likely coming from Russia (i.e. the real domain is something.ru) - at least that's what I'm getting.
I've added some statements to my Apache <VirtualHost> sections to use mod_rewrite to send back a 403 (forbidden URL) message:
RewriteCond %{REQUEST_URI} ^title=.*http: [OR,NC] RewriteCond %{REQUEST_URI} ^/index.php/.*http: [OR,NC] #... other forbidden stuff... RewriteRule ^(.*)$ http://example.com [F,L,R]
That seems to catch most of it.
Mike
Hallo, Michael,
Du (michael.daly) meintest am 11.08.08:
"GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301 "GET /Wiki/index.php?title=Http://example.tld/some-side.htm%3F HTTP/1.1" 200
That's spam. Example.tld is likely coming from Russia (i.e. the real domain is something.ru) - at least that's what I'm getting.
Some days ago I got more than 16 requests from Canada.
I've added some statements to my Apache <VirtualHost> sections to use mod_rewrite to send back a 403 (forbidden URL) message:
RewriteCond %{REQUEST_URI} ^title=.*http: [OR,NC] RewriteCond %{REQUEST_URI} ^/index.php/.*http: [OR,NC] #... other forbidden stuff... RewriteRule ^(.*)$ http://example.com [F,L,R]
Thanks - I'll try.
Viele Gruesse! Helmut
Hallo, Michael,
Du (michael.daly) meintest am 11.08.08:
"GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301 "GET /Wiki/index.php?title=Http://example.tld/some-sid e.htm%3F HTTP/1.1" 200
That's spam. Example.tld is likely coming from Russia (i.e. the real domain is something.ru) - at least that's what I'm getting.
I've added some statements to my Apache <VirtualHost> sections to use mod_rewrite to send back a 403 (forbidden URL) message:
RewriteCond %{REQUEST_URI} ^title=.*http: [OR,NC] RewriteCond %{REQUEST_URI} ^/index.php/.*http: [OR,NC] #... other forbidden stuff... RewriteRule ^(.*)$ http://example.com [F,L,R]
That seems to catch most of it.
Doesn't work - sorry.
Just another idea: This spambot always asks "<wiki-dir>/index.php", and that skript always could detect
title=http://xyz or title=Http://xyz
In my Wiki I've never seen an allowed query string with an URL as title: mediawiki should (as far as I can see) detect such titles as errors.
How and where could I patch the "index.php"?
Viele Gruesse! Helmut
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Helmut Hullen wrote:
In my Wiki I've never seen an allowed query string with an URL as title: mediawiki should (as far as I can see) detect such titles as errors.
How and where could I patch the "index.php"?
Sounds like you want the TitleBlacklist extension.
- -- brion
Hallo, Brion,
Du (brion) meintest am 25.08.08:
In my Wiki I've never seen an allowed query string with an URL as title: mediawiki should (as far as I can see) detect such titles as errors.
How and where could I patch the "index.php"?
Sounds like you want the TitleBlacklist extension.
Should work ... I've followed the instructions at
http://www.mediawiki.org/wiki/Extension:Title_Blacklist
I've created my own list:
http://arktur.de/Wiki/index.php?title=MediaWiki:Titleblacklist
with my special rule
index.php?title=[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
but it doesn't send any error message if I call
http://arktur.de/Wiki/index.php?title=Http://hullen.mydyn.de
What is wrong?
Viele Gruesse! Helmut
Helmut Hullen wrote:
with my special rule
index.php?title=[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
but it doesn't send any error message if I call
http://arktur.de/Wiki/index.php?title=Http://hullen.mydyn.de
What is wrong?
Viele Gruesse! Helmut
Your entry should be [hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
I don't know the topic of your wiki, but i'd check against http:// just in case someone want to create an article about the protocol. Also, the check is case insensitive (casesensitive wasn't specified), so no need for [hH]
Hallo, Platonides,
Du (Platonides) meintest am 27.08.08:
with my special rule
index.php?title=[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
but it doesn't send any error message if I call
http://arktur.de/Wiki/index.php?title=Http://hullen.mydyn.de
What is wrong?
Your entry should be [hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
I've changed the entry in
http://arktur.de/Wiki/MediaWiki:Titleblacklist
to
http <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
but it still doesn't work:
http://arktur.de/Wiki/index.php?title=http://hullen.mydyn.de
is still allowed
I don't know the topic of your wiki, but i'd check against http:// just in case someone want to create an article about the protocol.
Mediawiki doesn't allow "http://" - sorry. May I put this string into "<nowiki>"?
What ist (still) wrong?
Viele Gruesse! Helmut
Helmut Hullen wrote:
I've changed the entry in
http://arktur.de/Wiki/MediaWiki:Titleblacklist
to
http <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
but it still doesn't work:
http://arktur.de/Wiki/index.php?title=http://hullen.mydyn.de
is still allowed
However, http://arktur.de/Wiki/index.php?title=Http&action=edit is not So you'd need http.*
Mediawiki doesn't allow "http://" - sorry. May I put this string into "<nowiki>"?
Internally, the separator is /, you'd need to escape them: http://.*
Hallo, Platonides,
Du (Platonides) meintest am 28.08.08:
I've changed the entry in
http://arktur.de/Wiki/MediaWiki:Titleblacklist
to
http <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
but it still doesn't work:
http://arktur.de/Wiki/index.php?title=http://hullen.mydyn.de
is still allowed
However, http://arktur.de/Wiki/index.php?title=Http&action=edit is not So you'd need http.*
Mediawiki doesn't allow "http://" - sorry. May I put this string into "<nowiki>"?
Internally, the separator is /, you'd need to escape them: http://.*
That doesn't do the job completely - sorry.
Yesterday I had more than 40 pairs of bot tries like the following:
a-b-c-216-020-xxx.example.com - - [11/Sep/2008:14:30:16 +0200] "GET /Wiki/index.php?title=Http://204.2.183.2/babycaleb/index.htm%3F HTTP/ 1.1" 200 9244 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" a-b-c-216-020-xxx.example.com - - [11/Sep/2008:14:30:16 +0200] "GET /Wiki/index.php?title=http://204.2.183.2/babycaleb/index.htm? HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
(URLs changed in some places)
Mediawiki accepts the first try and rejects the second.
And I don't know what happens with the accepted request.
I've looked into the file "index.php"; a switch " String 'http://' is forbidden" or so may do the desired job, but I don't know where is the best place for it.
Viele Gruesse! Helmut
mediawiki-l@lists.wikimedia.org