ΤΥե

-(front-end).php
 --mainfile.php
   ---modules/protector/include/precheck.inc.php  (ȤΤϡmysql_*() Τ)
   ---include/common.php  (ǽƥ桼åĥ
 --header.php
   ---modules/protector/blocks/protector_block.php (ʤ٤$xoopsDBȤ)
...

mainfile.php ؤΥѥåɬܡ
Protector֥åɽʤȡ롼ñ̤ǤIPݤ¾Բǽ




Anti-DoSνե

precheck.inc.php

$protector->check_dos_attack_prepare() θƤӽФ

ȡ
  protector_access ơ֥Υ٥
  protector_access ơ֥ؤΥ쥳ɲ
  ƱIPƱURIؤι٥ (F5 Attack)
   > protector_access ƱIP쥳ɤǤ5ʬ˱Ф
   > preferences ǻꤵ줿Ԥäfalse֤
   > banIP ϤǽǤʤΤǡshould_be_banned ե饰ΩƤƤ
   > header.php ̲ᤷʤΤˡbanIPλˤsleepƤ
   > exit ϡexit; ˡϿ
  USER_AGENT å
   > ޤ٤USER_AGENTʤ顢ʤOKȤ
   > USER_AGENT򺾾Τ밭դbotؤкϺβ
  ƱIP͡URIؤι٥ ʥᥢɼܥå
   > preferences ǻꤵ줿Ԥäfalse֤
   > banIP ϤǽǤʤΤǡshould_be_banned ե饰ΩƤƤ
   > header.php ̲ᤷʤΤˡbanIPλˤsleepƤ
   > exit ϡexit; ˡϿ
  ˤ⳺ʤOK

֤ͤfalseʤ顢Ͽ
Ǥϡpurge() ʤɤϤʤ


protector_block.php

should_be_banned ե饰ΩäƤơbanǽ롼פʤ顢bad_ip Ͽpurge()
$protector->check_dos_attack() θƤӽФ

ȡ( check_dos_attack() ȤۤƱʤΤǡۤʤ )
  precheckǴ˥åѤߤʤtrue֤
  banIPλˤϡ¨¤bad_ipsϿ (banǽ롼פξΤ)

֤ͤfalseʤ顢Ͽ
Ǥϡpurge() ʤɤϤʤ


preferences ǻǤ

none   й֤ϤȤʤϿԤ
sleep  ˱ÿsleep()
exit   ¨¤exit
banip  xoopsConfig  bad_ips Ͽ



ե륢åץк

ǥեȤON

$_FILES 
/(\.php|\.phtml|\.phtm|\.php3|\.php4|\.cgi|\.pl|\.asp)$/
Ȥѥ˹פե̾ä顢¨¤purge()

Υå precheck.inc.php ǤΤ߹Ԥ
֥åǽƤ̵̣ʤᡣ

B-WikiǼեȤʤɡphpեźդӤǤϡεǽOFFˤ¾ʤ



ƥѿк

ǥեȤǤϡexit, BanIP ȤON

$_POST, $_GET, $_COOKIE 

'_SESSION'
'HTTP_SESSION_VARS'
'_GET'
'HTTP_GET_VARS'
'_COOKIE'
'HTTP_COOKIE_VARS'
'_REQUEST'
'_SERVER'
'_ENV'
'_FILES'
'xoopsDB'
'xoopsUser'
'xoopsUserId'
'xoopsUserGroups'
'xoopsUserIsAdmin'
'xoopsConfig'
'xoopsOption'
'xoopsModule'
'xoopsModuleConfig'

Υǥå̵Ĵ٤롣

precheck ǸĤä顢¨ purge() 
preferences ˤ餺bad_ip ϿϤʤ
CSRFǴԤƧǤޤǽ뤿

mainfile.php˥ѥå򤷤Ƥʤˤϡ֥åǸĤ롣
ξϡ롼ץե饰ǧǤΤǡpreferences꼡ǡbad_ip ϿԤpurge()Ԥ



⥸塼ID XSS , SQL Injection к

ǥեȤǤOFF

$_POST, $_GET, $_COOKIE ǥå 'id' ǽäơġǤϤʤѿˤĤƤϡintval() 򤫤

precheck , ֥åξǹԤ



SQL InjectionкΣѥ

$_POST, $_GET, $_COOKIE ƵŪȤˡUNION ޤϸΩ /* ̵å

ʸΩ/* ȤϡФˤʤ */ Τʤ /* ΤȡSQL Injectionˤơˤ˻Ȥ

ĤäΥϤ줾죳ѥ

 ʥǥեȤON
  UNION ʤ顢UNI-ON ʬ򤹤
  /* ʤ顢Ǹ */ Ϳ

λʥǥեȤOFF
  Ω /* ̤˽򤷤ƤƤճɤѥʤΤǡǼĤʤɤƤṳ̈ȤΤϡäȥӥåꤷƤޤ

bad_ip ϿʥǥեȤOFF
  λǤӥåꤹΤˡϤˤꤹ

check_sql_*() ϡprecheck֥å̡
precheckǤϡ˥ȥϿäƤ
header.php ̲᤹ǤΤߡbanIPpurge()Ԥ



IPꥹȤ˺ܤäƤޤäεߺѺ

XOOPS_URL/modules/protector/admin/rescue.php
ǡ餫ꤷƤѥɤϤСIPݤΤΤǤ

ΥѥɤϤ餫ꤷƤɬפ롣
֡ʥѥɤʸˤξ硢εߺѺ̵Ȥʤ롣



路եζػ

ե̾GETľܻꤹˡĤå˺ƥǥ쥯ȥ̤뤳Ȥɤ

եѥϤʤθ̩׵᤹ΤǡճȥѥϹʤ롣

trim() 򤷤Ƥ顢

?^[0-9a-z_./-]*\.\./[0-9a-z_./-]+$?i

˥ҥåȤꥯȤΤߡ'..'  '' ֤
оݳȤ롣


