FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Suggestions » Cleaning of Entered data / "Invalid Encoding Attack"
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Cleaning of Entered data / "Invalid Encoding Attack" [message #187500] Sat, 30 June 2018 20:10 Go to next message
alopezie is currently offline  alopezie   Germany
Messages: 106
Registered: September 2003
Karma: 1
Senior Member
I had a "specialist" which put characters in the posting and title tags which resulted in some funny "vertical" text and strange letters ....
Someone was saying similar things can happen also in phpBB

So it would be better to clean the entered data.
The user suggested to use mb_check_encoding to prevent so-called "Invalid Encoding Attack".(http://php.net/manual/de/function.mb-check-encoding.php)




Alopezie.de - das Forum zum Thema Haarausfall
Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187501 is a reply to message #187500] Sun, 01 July 2018 07:25 Go to previous messageGo to next message
naudefj is currently offline  naudefj   United States
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
I've never seen an "Invalid Encoding Attack" and don't know how much of an issue it really is.
Can your specialist maybe help with a patch?
Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187502 is a reply to message #187501] Sun, 01 July 2018 07:32 Go to previous messageGo to next message
alopezie is currently offline  alopezie   Germany
Messages: 106
Registered: September 2003
Karma: 1
Senior Member
You see here that the data entered in the message header ("Testtesta") even shows up in source code "vertically". In this case he added letters behind "Testtesta" resulting in this strange vertical line of letters.

Also see the nice german logo in the message box.


/forum/index.php?t=getfile&id=6696&private=0
/forum/index.php?t=getfile&id=6697&private=0

To prevent this I guess it would require just to add the php function "mb_check_encoding" in any data entry ....
  • Attachment: MWSnap213.jpg
    (Size: 18.64KB, Downloaded 1825 times)
  • Attachment: MWSnap214.jpg
    (Size: 78.52KB, Downloaded 1908 times)


Alopezie.de - das Forum zum Thema Haarausfall

[Updated on: Sun, 01 July 2018 07:34]

Report message to a moderator

Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187503 is a reply to message #187502] Sun, 01 July 2018 08:00 Go to previous messageGo to next message
naudefj is currently offline  naudefj   United States
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
Annoying, but I guess not dangerous.
We can add it to check_post_form() in postcheck.int.t.
Can you assist with a patch?
Aw: Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187504 is a reply to message #187503] Sun, 01 July 2018 08:11 Go to previous messageGo to next message
alopezie is currently offline  alopezie   Germany
Messages: 106
Registered: September 2003
Karma: 1
Senior Member
Mmhmm I am myself not really a coder, and looking in the examples its beyond my scope.
But will send him the source code and ask him for help


Alopezie.de - das Forum zum Thema Haarausfall
Aw: Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187507 is a reply to message #187504] Mon, 02 July 2018 06:44 Go to previous messageGo to next message
alopezie is currently offline  alopezie   Germany
Messages: 106
Registered: September 2003
Karma: 1
Senior Member
he gave me the following reply:

Zitat:

Hello, I have checked this and would let that go!

Unfortunately, these are all valid special characters, which also occur in the UTF-8 character set.
The bad guys here are the ones here: Thai์๋lä์์๋n์๋der, who can make several ์๋๋์๋๋๋๋๋, but unfortunately there is no clear pattern here that could be used to filter.
Okay, this is not a security problem, so we may stay "as-is" for the moment - in case it becomes a flood we have to recheck


Alopezie.de - das Forum zum Thema Haarausfall
Re: Aw: Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187508 is a reply to message #187507] Mon, 02 July 2018 06:47 Go to previous message
naudefj is currently offline  naudefj   United States
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
Sounds reasonable to me Smile
Ban the buggers that post crap on your forum.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Suggestion for fudforum.org/forum and the FAQ link.
Next Topic: Floating image registration javascript
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Mar 19 10:11:15 GMT 2024

Total time taken to generate the page: 0.02267 seconds