• 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!

TOPIC: False positive remote file inclusions?

False positive remote file inclusions? 12 years 4 months ago #20646

  • daskew
  • daskew's Avatar
  • OFFLINE
  • Fresh Boarder
  • Posts: 1
Good day,

I'm curious as to the number of remote file inclusion false positives we could get.

We use RSFirewall on all of our sites and only two have given us warnings about remote file inclusion attempts.

Both URL's were from mobile search sites. This is the latest.
I've gone there and tried directly clicking the links from both PC and mobile browsers. No errors at all but if I try to directly go to this seemingly normal URL it throws 403 forbidden with remote file inclusion.

So is this a false positive or some sort of actual penetration attempt.


Website: law-angelawhite.com/
Page: law-angelawhite.com/?_ult=sec=web&slk=we...w-angelawhite.com%2F
Referer: us.m.yahoo.com/r/uscell/search?p=&submit...white++the+survivors
Description: Remote file inclusion attempted.
Alert level: medium
Date of event: 2012-12-21 21:07:27
IP address: 50.xxx.xxx.198
The administrator has disabled public write access.

False positive remote file inclusions? 12 years 4 months ago #20674

  • octavian
  • octavian's Avatar
  • OFFLINE
  • RSJoomla! Official Staff
  • Posts: 783
  • Thank you received: 110
Hello,

You can create an exception as this looks like a legitimate request through Google Anayltics. You can go to Exceptions, add a new Exception, set "Exception Type" to "URL", "Use regular expressions" to "Yes" and set "Match" to:
linkstr=http:\/\/

Regards!
Please note: my help is not official customer support. To receive your support, submit a ticket by clicking here
Regards,
RSJoomla! Development Team
Last Edit: 12 years 4 months ago by octavian.
The administrator has disabled public write access.

False positive remote file inclusions? 12 years 3 months ago #21252

  • xristo
  • xristo's Avatar
  • OFFLINE
  • Fresh Boarder
  • where all da white women at?
  • Posts: 8
Octavian, could you please provide the text (code) for adding an exception to the JomSocial component? I'm also getting False Positives (Remote File Inclusion) when users try to comment on Events or in Groups. My joomla site also integrates Kunena which also throws false positives when users reply to topics. See below error message for example. Thank you in advance for your help

Remote file inclusion attempted.
Debug information
URI: &view=topic&task=post&parentid=5&catid=3&292bda8f699f6ea7238b91db59fe7193=1&subject=Testing to see if posts into JomSocial Wall&topic_emoticon=2&url=http://&text2=&size=&url2=http://&videosize=&videowidth=&videoheight=&provider=&videoid=&videourl=http://&message=It worked on my end.&subscribeMe=1&ksubmit= Submit
Match: =http://&text2=&size=&url2=http://&videosize=&videowidth=&videoheight=&provider=&videoid=&videourl=http://&message=It worked on my end.&subscribeMe=1&ksubmit= Submit

NOTE: I'm using the Rocket Theme VOXEL, which appears to be the same template the previous poster (Daskew) is using. Perhaps it's something relating to RSFirewall's integration with Voxel
Last Edit: 12 years 3 months ago by xristo.
The administrator has disabled public write access.
  • 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!