Ultimate Website Firewall [Stop Attacks On Your Website]

[Amrik]

With this script you can protect your Website against SQL injections, Http Ddos, Remote File Inclusion, Local File Inclusion, XSS attacks, Null Byte Injection, Flood DOS, CPU Over-Use, Bad User Agents, Bad Referer, Users using proxy server and many more online threats.

SQL injection protection
XSS attack protection
Malicious Code Finder
Remote File Inclusion protection
Guest Port Checking function
Local File Inclusion protection
Null Byte Injection protection
Flood DOS protection
CPU Over-Use protection
Bad Referer protection
Http Ddos protection
Users using proxy server protection
Bad User Agents protection
Database user blocking
.htaccess user blocking
Attack logs viewer
Banned Ip manager
Admin Account manager
Updates Manager

Authors:
BlackDream, hack8

Code:

http://img685.imageshack.us/slideshow/webplayer.php?id=14841494.png

Download: https://sourceforge.net/projects/web-firewall/

[callumacrae]

PHP Code:

if (!defined('IN_SCRIPT'))
{
    header("HTTP/1.0 404 Not Found");
    exit;
} 


This kind of code is old (PHP4 era) and should be avoided. When using OOP properly, the script will not be ran, so you should be using OOP properly

PHP Code:

$tor_exit_node_list = '<?die;?>' . "\n" . '<!' . date('G') . '!>' . "\n" . $tor_exit_node_list;

When I first saw this code, my syntax highlighter displayed it wrong, taking the ?> as a closing tag, not part of the string. You could have an issue with this, I could recommend splitting it up like so:

PHP Code:

$tor_exit_node_list = '<?die;?'.'>' . "\n" . '<!' . date('G') . '!>' . "\n" . $tor_exit_node_list;

Function parseCleanValue can be replaced with htmspecialchars.


You should never use @ to suppress errors, as it is slow. You should never use globals - perhaps experiment with the Singleton pattern for the database class.


How about cleaning out register_globals?


You're releasing it under GPLv3, meaning that anyone who downloads can do whatever they want to do with it, as long as they release it under GPLv3 themselves. Therefore "DO NOT REMOVE THE COPYRIGHT, I WILL TAKE LEGAL ACTION" violates the license.



Moving to the appropriate forum, too.




It looks like a pretty good script!

[GtoXic]

@callumacrae: Most syntax Highlighters are made NOT to notice <?php and ?> in quotes (double and single). And that's why it's not a good idea to use what you use :D

[bd-pb]

Hello there

i am glad to see my project being published on more and more websites. Thanks for your comments guys but let me explain some things.

PHP Code:

if (!defined('IN_SCRIPT'))
{
    header("HTTP/1.0 404 Not Found");
    exit;
} 


You are definitely true in this one but i am not using OOP in all files. All the protections have been written without OOP so i cant think now any other way to protect the files from browsing access. Maybe this is the right way

Function parseCleanValue can be replaced with htmspecialchars.

unfortunately no, htmlspecialchars will convert almost any special char to html entities. I dont want this to be done. I dont want all the special chars to be converted, just some of them. In other way it may cause some problems.

as i have already written in the protection file(sanitize) this protection is not mine, it is used by Invision Power Board.

You should never use @ to suppress errors, as it is slow. You should never use globals - perhaps experiment with the Singleton pattern for the database class.

When you have developped a big project it is impossible to handle all the errors. As you can see i am not using the char @ always in the project, just in some points which are less important for users.

As for the global variables you are right and maybe the next version of the project will get rid of it
---------------

Ultimate web firewall upgraded to v2.1.0 with a lot of new feautures. Just go to the website: http://www.ufirewall.org

[callumacrae]

You are definitely true in this one but i am not using OOP in all files. All the protections have been written without OOP so i cant think now any other way to protect the files from browsing access. Maybe this is the right way

Use OOP, then :P

unfortunately no, htmlspecialchars will convert almost any special char to html entities. I dont want this to be done. I dont want all the special chars to be converted, just some of them. In other way it may cause some problems.

As per the manual, htmlspecialchars only converts &, <, >, " and '.

When you have developped a big project it is impossible to handle all the errors. As you can see i am not using the char @ always in the project, just in some points which are less important for users.

Only if you've coded it wrong from the beginning

[bd-pb]

Use OOP, then :P

Using OOP in all the files is a bit confused at least for me. Its better but no necessary

As per the manual, htmlspecialchars only converts &, <, >, " and '.

I see, but looking at the parsecleanvlue function you will see more chars to be converted :P Haha i had a lot time to see that file. It must be changed immidiatelly.

Only if you've coded it wrong from the beginning

NO i disagree. Even if you have made a class which handles the errors you will still have some problems. Just think about it...There are some php functions that returns errors even if you have parse them with the right way. Lets take for example fsockopen

[callumacrae]

fsockopen will only throw an error if you give it an invalid domain or it can't make the connection. Instead of suppressing the errors, a try / catch statement should be used.

[vv.bbcc19]

Finally, is it safe to use the same on X10hosting or is it still to get to a conclusion?
Will that eat resources and create high resource suspensions?

[Electroprgcr]

thanks is a good idea

[vv.bbcc19]

Is the firewall working without any HRU suspenstions?
Did anyone checked it out yet on X10 free hosting services?
Plz post.