DA security log: Found one of block_token_chars in token

[Duboux]

I found these new lines in the DA security log:

2007:11:05-13:00:14: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:05-13:00:59: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:05-16:01:11: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:07-00:16:18: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:08-00:21:34: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:08-00:23:31: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:11-14:58:15: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW
2007:11:11-15:04:19: Found one of block_token_chars in token value1= from ***.***.***.*** with request /CMD_ALL_USER_SHOW

The blue *** resemble my personal ip.

What does it mean, is it important, and how can I get rid of it ?

 

[R1Lover]

I see this also, this post went unanswered, any ideas?

 

[kirirur]

I've also this entries in my DA log, any news about them?

 

[daveyw]

Could you (guys) check the 'value1=' and post this here also?
That could help resolving this issue

 

[R1Lover]

I'm not sure what was causing it, but I no longer have these errors on any server.

 

[kirirur]

This is what I've on /var/log/directadmin/security.log today:

2010:09:19-14:26:47: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:19-14:26:54: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:19-14:26:59: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:19-14:27:06: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:19-14:27:18: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:19-14:27:48: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:19-14:27:53: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:27:08: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:27:34: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:27:42: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:27:51: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:28:26: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:28:37: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER
2010:09:20-08:31:49: Found one of block_token_chars in token grep= from XX.X.XXX.XX with request /CMD_LOG_VIEWER

Obviously the IPs where shown I've just replaced it with XX.

 

[Vibe]

We are seeing the same thing in our log files - fresh install of DA 1.362:

2010:09:20-11:44:30: Found one of block_token_chars in token grep= from XXX.XX.XXX.XXX with request /CMD_LOG_VIEWER
2010:09:20-11:44:36: Found one of block_token_chars in token grep= from XXX.XX.XXX.XXX with request /CMD_LOG_VIEWER
2010:09:20-11:44:39: Found one of block_token_chars in token grep= from XXX.XX.XXX.XXX with request /CMD_LOG_VIEWER

Any ideas?

 

[Arieh]

Just looeked, in an older log I've got a few of them too

2010:08:25-12:16:06: Found one of block_token_chars in token value1= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:24: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:27: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:31: Found one of block_token_chars in token value1= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:40: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:42: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:47: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:52: Found one of block_token_chars in token value1= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:16:55: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:00: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:02: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:10: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:12: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:18: Found one of block_token_chars in token value8= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:25: Found one of block_token_chars in token value1= from x.x.x.x with request /CMD_ALL_USER_SHOW
2010:08:25-12:17:38: Found one of block_token_chars in token value1= from x.x.x.x with request /CMD_ALL_USER_SHOW

All were of my own IP-address.

http://help.directadmin.com/item.php?id=284

block_token_chars=$[]<>:#

Values that are not permitted to be passed between pages via GET for the tokens.
There is a newline character in there as well, in the internal values. Can't add newline if you override it due to configfile limitations..

Not sure what characters I (or my browser) tries to sent, but I wouldn't worry about it. It probably is a bug of some kind, since the GET request it says in the logs doesn't contain any weird chars (not sure about those value's in my logs).

 

[Vibe]

I just checked the block_token_chars setting on another server running an older version of DA (v1.35.1) using the command:

/usr/local/directadmin/directadmin c

It returned the DA default (not explicitly set in /usr/local/directadmin/conf/directadmin.conf):

block_token_chars=$[]<>:#

This server has never displayed the block_token_chars error/notices that everyone mentions in this post. Must dig deeper .

 

[DirectAdmin Support]

Hello,

Thanks for the reports. You can ignore them.
The logic with the check wasn't quite correct.

It was:

if there is a value and the value is good
  add the token
else
   throw the error

The logic error was that the grep value was blank, so it threw the error.
I've changed it around:

if there is a value
{
  if the value is good
     add the token
  else
     throw the error
}

If anyone wants this fix now, just send us an email with your OS version and I'll compile you a set.

Also keep in mind that you will see these from time to time, and they can usually be ignored.
For example, check a log and grep for a time like "8:32". DA will throw the error since : is bad.. but all this means is that DA won't add the token |grep| to be used.
However the actual field is filled by DA with a html safe, sanitized set of characters which is set with a totally different token.

The error displayed mainly only applies to skin designers if they're trying to pass data they shouldn't be, to prevent XSS attacks (like inserting javascript code)
So you can grep the value:

<script>alert('hi');</script>

and DA will obviously log the error in the security.log, and the |grep| token with that raw text won't be available.. however DA will still show you that text correctly because the |GREPVAL| token is filled with sanitized html safe characters, eg:

<input type=text size=32 value="&#60script&#62alert&#40&#39hi&#39&#41&#59&#60/script&#62" name=grep>

John