CVS edit link for JFN

Submit a completed module called 'RFI Report' which adds 2 new reports to Drupal dedicated to provide details on failed Remote File Inclusion attempts. Inspired by and based on dblog and Mollom.

The module is beyond the filter scope of dblog as it reports specific details such as RFI script name, attacking server, RFI script hosting server and the total amount of RFI attempts per day which are displayed in an open source swf xml chart (released August 2009).

More information on: http://www.mywebmymail.com/?q=content/rfi-report

CommentFileSizeAuthor
#7 rfireport.zip4.54 KBJFN
#4 rfireport.zip4.84 KBJFN
#1 rfireport.zip33.91 KBJFN

Comments

JFN’s picture

Title: JFN [jfn] » RFI Report
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new33.91 KB
avpaderno’s picture

Title: RFI Report » RFI JFN [jfn]
Issue tags: +Module review
avpaderno’s picture

Status: Needs review » Needs work
  1. The file LICENSE.txt needs to be removed, because Drupal.org CVS doesn't allow to commit it.
  2. Files available from third-party site should not be included in Drupal.org CVS.
  3. Files licensed under a license different from GPL cannot be included in the repository; see Why drupal.org doesn't host GPL-"compatible" code.
JFN’s picture

StatusFileSize
new4.84 KB

OK, thanks for the feedback:

1. LICENSE.txt removed
2. 3rd party files no longer included, instructions provided in README.txt, standard display format is in a table

JFN’s picture

Status: Needs work » Needs review

Sorry, update the status to "needs review", see my previous post.

avpaderno’s picture

Status: Needs review » Needs work
  1.     return t("Remote File Inclusion (RFI) is a technique often used to attack Internet websites from a remote computer. With malicious intent, it can be combined with the usage of a cross-server-attack to harm a webserver. Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own (malicious) code in the space provided for PHP programs on a web page. For more information visit the <a href=\"@rfireport-website\">RFI Report</a> website.",
    

    It should be better to avoid to escape the quote character on strings that needs to be translated; the script to extract those strings would probably extract the escape character too

  2.   $url=explode('http://',trim(str_replace('HTTP','http',$rfilog->location),'http://'));
    

    The code doesn't seem correct. trim() is removing any h, t, p, :, and /; then explode() should create an array item each time it finds an occurrence of http://, which cannot be found as those characters have been removed. See the examples in http://it2.php.net/manual/en/function.trim.php, where it is clear that the last parameter of trim() is a list of characters to be removed.

JFN’s picture

Status: Needs work » Needs review
StatusFileSize
new4.54 KB

1. Corrected by using single quotes and no escape character, the escape character solution was actually from Dries his Mollom module ;)

2. With RFI attempts there are 2x http strings in the URL, we are only interested in the 'middle' http string, the leading http string is from the website hosting Drupal. When we explode with the middle http string the first array key contains the Drupal domain, the second array key contains the domain of the RFI script. This is the reason why it is required to trim the leading http string.

avpaderno’s picture

Status: Needs review » Fixed
  1.     $url=explode('http://',trim(str_replace('HTTP','http',$rfilog->location),'http://'));
        $page='';$script='';
        if (is_array($url)) {
          if(key_exists(0,$url) && key_exists(1,$url)) {
            $domain=parse_url('http://'.$url[1], PHP_URL_HOST);
            $script=trim($url[1],'?');
    

    The coding standards say that a space should be added before and after a =, or after a comma in the parameter list of a function.

  2.   $caption = t('A total of ') . $totalrfi . t(' RFI attempts have been logged over the past ') . $totalday . t(' days');
    

    Rather than concatenating translatable strings, the code should use placeholders. In this way, people who create the translation for the module have a context that allow them to better translate the string (as a translation can be context-dependend).

  3.   header('Content-Type: text/xml');
    

    The code should use Drupal functions, when available. In this case the function to call should be drupal_set_header().

JFN’s picture

Status: Fixed » Closed (fixed)

Thanks a lot for your help!

The module is now available for download.

avpaderno’s picture

Status: Closed (fixed) » Fixed

There is no need to close a fixed issue. They are automatically closed after 14 days.

Status: Fixed » Closed (fixed)
Issue tags: -Module review

Automatically closed -- issue fixed for 2 weeks with no activity.

avpaderno’s picture

Component: Miscellaneous » new project application
Assigned: Unassigned » avpaderno
Issue summary: View changes
Status: Closed (fixed) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.