Developer forum

Forum » CMS - Standard features » Users Banned, but not in _BannedIPs.txt

Users Banned, but not in _BannedIPs.txt

E-mail notifications
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Reply
Posted on 18/11/2024 14:02:44

Hi,

 

We have 2 customers (9.14.10 and 9.16.7) that have both reported a very odd experience wtih IP Banner.

 

  • They claim to be banned
  • Their IP is NOT in GeneralLog nor in _BannedIPs.txt
  • But whenever we completely clear the _BannedIPs.txt file, they are unblocked

 

The only similar thing between the two is that some IPv6 were banned, but they don't look right, storing only the first 4 digits of the IP.

 

Any thoughts on what could be causing this? If it's best, I can reach out through Care so that I can provide the customer's names and the banned IPs

 

Best Regards,

Nuno Aguiar


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 18/11/2024 16:12:13
Reply

Could they be use some sort of proxy on their net. x-forwarded-for header vs. the IP?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 18/11/2024 16:12:15
Reply

Could they be use some sort of proxy on their net. x-forwarded-for header vs. the IP?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 18/11/2024 16:13:17
Reply

Havin an IPv6 in their banned IPs is very odd as there should not be ipv6 on their webserver. That could indicate that they internally run ipv6, and that is forwarded in a header DW understands...

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 18/11/2024 17:04:57
Reply

Hi Nicolai,

 

I'll see if I can meet with the customer and through screen sharing try to capture more information. If you have any other ideas on how I could even capture this, I'd appreciate it.

 

In regards to the IPv6 (which may or may not be related), here's what we're seeing

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 19/11/2024 01:08:40
Reply

Cloudflare configuration issue? ipBanner is looking at x-forwarded-for headers - and they could contain something that DW misunderstand...

I guess this kind of request is not coming from inside their organisation

/products?ProductType=2%27%29+AND+1%3D1+UNION+ALL+SELECT+1%2CNULL%2C%27%3Cscript%3Ealert%28%5C%22XSS%5C%22%29%3C%2Fscript%3E%27%2Ctable_name+FROM+information_schema.tables+WHERE+2%3E1--%2F%2A%2A%2F%3B+EXEC+xp_cmdshell%28%27cat+..%2F..%2F..%2Fetc%2Fpasswd%27%29%23

 

You must be logged in to post in the forum