Developer forum

Forum » CMS - Standard features » Users Banned, but not in _BannedIPs.txt

Users Banned, but not in _BannedIPs.txt

E-mail notifications
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Reply
Posted on 18/11/2024 14:02:44

Hi,

 

We have 2 customers (9.14.10 and 9.16.7) that have both reported a very odd experience wtih IP Banner.

 

  • They claim to be banned
  • Their IP is NOT in GeneralLog nor in _BannedIPs.txt
  • But whenever we completely clear the _BannedIPs.txt file, they are unblocked

 

The only similar thing between the two is that some IPv6 were banned, but they don't look right, storing only the first 4 digits of the IP.

 

Any thoughts on what could be causing this? If it's best, I can reach out through Care so that I can provide the customer's names and the banned IPs

 

Best Regards,

Nuno Aguiar


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 18/11/2024 16:12:13
Reply

Could they be use some sort of proxy on their net. x-forwarded-for header vs. the IP?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 18/11/2024 16:12:15
Reply

Could they be use some sort of proxy on their net. x-forwarded-for header vs. the IP?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 18/11/2024 16:13:17
Reply

Havin an IPv6 in their banned IPs is very odd as there should not be ipv6 on their webserver. That could indicate that they internally run ipv6, and that is forwarded in a header DW understands...

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 18/11/2024 17:04:57
Reply

Hi Nicolai,

 

I'll see if I can meet with the customer and through screen sharing try to capture more information. If you have any other ideas on how I could even capture this, I'd appreciate it.

 

In regards to the IPv6 (which may or may not be related), here's what we're seeing

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 19/11/2024 01:08:40
Reply

Cloudflare configuration issue? ipBanner is looking at x-forwarded-for headers - and they could contain something that DW misunderstand...

I guess this kind of request is not coming from inside their organisation

/products?ProductType=2%27%29+AND+1%3D1+UNION+ALL+SELECT+1%2CNULL%2C%27%3Cscript%3Ealert%28%5C%22XSS%5C%22%29%3C%2Fscript%3E%27%2Ctable_name+FROM+information_schema.tables+WHERE+2%3E1--%2F%2A%2A%2F%3B+EXEC+xp_cmdshell%28%27cat+..%2F..%2F..%2Fetc%2Fpasswd%27%29%23

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 21/11/2024 20:02:56
Reply

Hi Nicolai,

 

I haven't been able to meet with both customers to see what they are getting. Cloudflare is a possibility, but we'll have to see.

 

Clearly what you highlighted is not coming from within their organization (a clear SQL Injection and XSS attempt). I guess I wondered if there could be something in DW that once if finds a banned IP of type IPv6, the code acts up and does not validate them accurately (since our customers stop getting banned once we completetly delete everything in _BannedIps.txt despite not seeing their IP there - at least that's been how our Support Desk people reported it on both occasions). I'll get to the bottom of the mistery :) 

 

Thank you for your insights,

Nuno Aguiar

 

You must be logged in to post in the forum