Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security issue: Protect against mallicious requests.

See original GitHub issue

This is not an app related issue, but rather a setup issue.

I have noticed that my server gets requests from unexpected IPs requesting wordpress related sites. Example:

"GET /solr/admin/info/system?wt=json HTTP/1.1"
"GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 
"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"
"GET /api/jsonws/invoke HTTP/1.1"
"GET /console/ HTTP/1.1"
"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 
"POST /Autodiscover/Autodiscover.xml HTTP/1.1"
"GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 
"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"
"GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 
"GET /Autodiscover/Autodiscover.xml HTTP/1.1" 
"GET /solr/admin/info/system?wt=json HTTP/1.1"

I have also noticed unsuccessful login ssh attempts.

Symptom of the issue:

Error shown in the pigallery2 logs:

12/27/2020, 5:11:17 AM[WARN] Handled error:
ErrorDTO {
  code: 10,
  message: 'Unknown server side error',
  details: ForbiddenError: invalid csrf token
      at csrf (/app/node_modules/csurf/index.js:112:19)
      at result (/app/node_modules/express-unless/index.js:49:5)
      at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
      at trim_prefix (/app/node_modules/express/lib/router/index.js:317:13)
      at /app/node_modules/express/lib/router/index.js:284:7
      at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)
      at next (/app/node_modules/express/lib/router/index.js:275:10)
      at cookieParser (/app/node_modules/cookie-parser/index.js:57:14)
      at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
      at trim_prefix (/app/node_modules/express/lib/router/index.js:317:13) {
    code: 'EBADCSRFTOKEN'
  },
  detailsStr: 'ForbiddenError: invalid csrf token'
}

The UI shows:

Unknown server error
{ "message": "invalid csrf token", "code": "EBADCSRFTOKEN" }

Issue Analytics

State:
Created 3 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

astyonaxcommented, May 19, 2021

I tried enabling fail2ban to filter the failed logins but the I didn’t manage to parse the log, however, since I run pigallery2 behind a reverse proxy (traefik) I enabled the default botsearch filter and jail that matches well known paths (worpress&co) and excessive 404 requests. For nginx the filter is here: /etc/fail2ban/filter.d/nginx-botsearch.conf .

0reactions

bpatrikcommented, May 19, 2021

@SlavikCA you are absolutely right with fail2ban, I was just lazy to set it up sofar.

Although I think the app could do better job with the nginx setup.

The docker container does not contain any unnecessary files and the node only servers files within the dist folder.

If you have any simple addons for the general nginx.conf that would be appreciated: https://github.com/bpatrik/pigallery2/blob/master/docker/docker-compose/default/nginx.conf

I will also update the location once I tested the change only instance. This https://github.com/bpatrik/pigallery2/issues/214#issuecomment-843574296 does not work.

The app only has GET for root / and some files on the root and within the /assets folder. And has GET, POST, PUT, OPTION, for /api/*. So I’m trying something l to better match this.

Top Results From Across the Web

Protect Against Malicious POST Requests - Perishable Press

Protect Against Malicious POST Requests · The Problem. The problem is that, on a typical server, there are no restrictions on POST requests....

How to mitigate an HTTP request smuggling vulnerability

Exploiting an HTTP request smuggling vulnerability can result in the inadvertent execution of unauthorized HTTP requests. Learn how to defend web environments ...

10 Best Practices to Prevent Web Application Attacks - Indusface

What are the Best Security Practices to Protect Against the Main Types of Attacks on Web Applications? · Malware Attacks · DDoS ·...

10 Common Web Security Vulnerabilities - Toptal

Don't suffer through a security breach—take action before any problems arise. Master these 10 common web security vulnerabilities now.

Mitigating malware and ransomware attacks - NCSC.GOV.UK

Since there's no way to completely protect your organisation against malware infection, you should adopt a 'defence-in-depth' approach.