Handler with URL parameter bans IP

René Poulsen

Posted on 24/11/2015 15:15:35

Hi,

We are creating a handler to create some temporary files on a solution. We create the files outside of the DW filearchive.

The handler is placed in application/handlers/handler.ashx.

When we call the handler with an url parameter our IP gets banned for 15 minutes. When we call it without an url parameter, we do not get banned. Any solution/explanation to this?

Replies

Nicolai Høeg Pedersen

Posted on 24/11/2015 16:09:53

You can disable the banning directly in GlobalSettings. You could also skip testing for specific parameters or disable SQL injection check entirely.

<Security>
      <FormAntiSpam>False</FormAntiSpam>
      <FormAntiSpamReportTo>
      </FormAntiSpamReportTo>
      <DoNotBanIps>True</DoNotBanIps>
      <SQLInjectionSkip>Nicolai</SQLInjectionSkip>
    </Security>

What do you call your handler with?

René Poulsen

Posted on 24/11/2015 16:31:42

But should this be necessary? It would be really nice to be able to use our handler witout disabling this?

Is it banning us becasue we create files on the server? Is it banning us because of something else? How is it determined if an IP address should be baned?

Anders Ebdrup

Posted on 24/11/2015 23:55:43

This post has been marked as an answer

Hi René

You will get banned if your request contains values which can be used for sql injection, so it will be; create, update, delete etc., etc.

Which information are you sending to the handler?

Best regards, Anders

Votes for this answer: 1

René Poulsen

Posted on 25/11/2015 08:59:53

create would be the word! :-)

We have createFile as parameter, so that must be the reason.

Thx.

Nicolai Høeg Pedersen

Posted on 25/11/2015 13:35:15

Hi René

It is - but I just made a change in the latest 8.7 hotfix that should remove some false positives like that one.

BR Nicolai

You must be logged in to post in the forum

Developer forum

Handler with URL parameter bans IP

Replies