Re: [Nms-cgi-devel] Just a suggestion...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 20 Feb 2002, Wizard wrote:

>     Back around 1997, I had made some security modifications to Matt
> Wright's WWWBoard for a friend of mine who was having some problems with it.
> In addition to restricting content-length, limiting re-posting, and a banner
> ad addition, I added a section which allowed for IP filtering. I finally got
> a chance to dig around, and came-up with the attached code.
>     It works through a deny/allow mechanism, which first denies the domain
> specified by the IP address, and then allowing specific IPs within that
> address range. For example, "10.10.32.*" in the $deny string would deny
> postings by any users within that domain, however if "10.10.32.7" were in
> the $allow string, then that particular IP could still post. The IPs of all
> users is posted as an HTML comment to each post. This IS somewhat of an
> advanced option for a lot of WWWBoard users and may be a problem with the
> un-initiated admin, however. Any thoughts?
> Let me know,

In principle this looks great, I would go for sticking some code that does
this in and guarding it with 'unless $emulate_matts_code', remembering of
course to update the README.  One suggestion I might make though is that
you might consider expanding the allow list to be a pattern too so that
you could deny 195.157.* and allow 195.157.10.*  for instance.  Also you
might want to look at the bit in FormMail.pl that someone did (sorry I
can't remember who) that allows one to use CIDR notation for acceptable
referers - it would be nice if we could allow a clueful administrator to
allow or deny networks at a finer granularity than 2^8 chunks.

I think that wwwboard is probably the program that we should lay seige to
next anyhow so it would be interesting if people could go out and discover
real or perceived vulnerabilities in the the original version ...  I know
of a few (cf. The Alaskan Electrician) but I am sure there are more -
mostly to do with the, er, baroque storage mechanism employed in the
original program.

Oh BTW while you are in wwwboard could you fix the threading that I appear
to have broken a while ago ;-}

/J\
-- 
Jonathan Stowe                      |
<http://www.gellyfish.com>          |      This space for rent
                                    |