Understanding Injection ban

Nuno Aguiar

Posted on 13/01/2022 12:06:06

Hi,

We've had a user get banned, and the customer was asking why. I tried to make sense of the log but don't see why he would. Can you help translate it:

Injection ban: Match on QueryString 404;http://www.sitedomain.com:443/admin/public/404.aspx?404;https://www.sitedomain.com:443/Files/Templates/Designs/SiteDesign/css/exceptions/ie.css" rel (["'].*=.*["'])

(I replaced the domain and design folder)

Best Regards,

Nuno Aguiar

Replies

Nicolai Pedersen

Posted on 17/01/2022 14:39:37

Cannot tell.

["'].*=.*["'] does not look like something in current DW releases...

But it does look like a malformed html tag or attributed in a template - like this

rel=Files/Templates/Designs/SiteDesign/css/exceptions/ie.css"

Not the missing starting "

Nicolai Pedersen

Posted on 17/01/2022 14:40:08

Validate all your pages and see if there is an issue?

What version? Looks old... Just having a ie.css :-)

Nuno Aguiar

Posted on 18/01/2022 15:56:45

Hi Nicolai,

They are running in 9.10.12. It is an old implementation thought.

That was the record the customer provided us, and the markup is properly constructed. But as I was writing this I looked at what this was doing and besides getting bleeing eyes (as Imar likes to say), it was a true blast from the past.

That css file is requesting the an oldie .htc file (CSS3 compatibility for IE), which is what have triggered the IP ban, and the css is within HTML conditional tags... so yeah, old...

So, as much as the regex may be current, is it safe to assume this would be triggered by the file ie.css importing an htc file? Just trying to make sense of this.

Best Regards,

Nuno Aguiar

Nicolai Pedersen

Posted on 18/01/2022 16:41:57

Yes - that is exactly code that looks like injections, so I am fine with it :-)

Nuno Aguiar

Posted on 18/01/2022 16:46:45

Perfect, thanks.

You must be logged in to post in the forum

Developer forum

Understanding Injection ban

Replies