Developer forum

Forum » Development » Wrong ip banned for ARR server

Wrong ip banned for ARR server

E-mail notifications
Anders Ebdrup
Anders Ebdrup
Reply
Posted on 28/09/2017 14:54:20

Hi Dynamicweb,

 

We have a solution behind an ARR-server, where I think there is an issue with getting the right ip address from the user when a client is banned due to sqlinjection.

Is seems like you are using the user's hostaddress and not trying to get the forwarded ip. This means that every request from any browser is banned and not just the specific client.

 

Best regards, Anders


Replies

 
Nicolai Pedersen
Posted on 04/10/2017 13:43:04
Reply
This post has been marked as an answer

TFS#40110

Votes for this answer: 1
 
Jóhann Kristþórsson
Posted on 19/12/2017 10:51:41
Reply

We had an outage due to this same problem on one of our websites.

What is the status of this TFS ticket?

 
Nicolai Pedersen
Posted on 19/12/2017 16:27:51
Reply

It should be fixed in 9.3.6

 
Nicolai Pedersen
Posted on 19/12/2017 16:30:38
Reply

Just to summarize - the sql banning look for IPs in this order:

  • X_FORWARDED_FOR
  • X-CLIENT-IP
  • Request.UserHostAddress

If the forward ips is a range, the last non-internal ip is returned.

 
Kevin Steffer
Kevin Steffer
Posted on 22/01/2018 14:07:20
Reply

I've just testet this a found a problem in your code that checks for ClientIp

Following this documentation of the use of Request.ServerVariables https://msdn.microsoft.com/en-us/library/ms525396(v=vs.90).aspx (read Remarks) you need to have "HTTP_" in front of the header name Request.ServerVariables["HTTP_X_FORWARDED_FOR").

A more intuitive way would maybe be to access the Request.Headers instead where you don't need to take the "HTTP_" naming prefix into account.

Request.Headers["X-Forwarded-For"]

Hope you can make a quick fix :)

Place: Dynamicweb.SystemTools.Security.IpBanner in your GetClientIpAddress method

 

 
Nicolai Pedersen
Posted on 22/01/2018 15:29:49
Reply

Hi Kevin.

Good catch! Registered as TFS#44987 and I made the fix and merged it to 9.3. Will be released with next hotfix, planned for tomorrow.

BR Nicolai

 
Kristian Kirkholt Dynamicweb Employee
Kristian Kirkholt
Posted on 23/01/2018 14:11:43
Reply

Hi Kevin

The problem regarding #44987 "Change sql injection check" has now been resolved in Dynamicweb version 9.3.12

To upgrade please choose this version from backend or download from here:

http://doc.dynamicweb.com/releases-and-downloads/releases

Let me know if you need any more help regarding this

Kind Regards
Dynamicweb Support
Kristian Kirkholt

 

You must be logged in to post in the forum