| Subject: | Flawed by design. |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 3 |
|---|
| Author: | Artur Graniszewski |
|---|
| Date: | 2010-08-12 09:34:27 |
|---|
| Update: | 2010-08-18 19:04:44 |
|---|
| |
|
|
Artur Graniszewski rated this package as follows:
| Utility: | Insufficient |
|---|
| Consistency: | Sufficient |
|---|
| Examples: | Sufficient |
|---|
|
|
 Artur Graniszewski - 2010-08-12 09:34:28 Flawed by design.
IP blocker can be easily fooled by randomizing IP address in HTTP headers (for example in X-Forwarded-For)
Also for me HTML in POST/GET requests should be escaped, not removed (because this can lead to the loss of user data)
For me more dangerous is XSS/SQL injection which do not need to use HTML tags.
 Petter Kjelkenes - 2010-08-18 15:26:58 - In reply to message 1 from Artur GraniszewskiThanks for the reply.
Ipblocker is not 100% security because of this, actually IP blocks in general can not be stopped no matter what. But it makes it hard for people to access your site. First It checks HTTP_CLIENT_IP, then HTTP_X_FORWARDED_FOR so the users must know what to send as a header to pass the IP Check.
I agree stripping HTML is not very good practice, and I have now updated so you can choose whenever to use a XXS filter wich should only filter possible XXS attacks or use stripping HTML
Alberto - 2010-08-18 19:04:45 - In reply to message 2 from Petter KjelkenesDude, is not working in your last version, when using the XML configuration, so can you check it please, for example i want to block all ip address and just allow some of them for that i use only the <allow> and comment the <block>, but didnt work for me.HELPPPPPPP
|
