Menu

Topic-icon Google Analytics tracking code as hacker sequence in Chrome browser

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
1 week 2 days ago - 1 week 2 days ago #8296 by azurelinksc
Hi Jose,

I have a client who is promoting an event on Facebook and in marketing emails and they are using a link to the registration page which has Google Analytics tracking code appended on to the end of the link. They are saying that the following error message displays in the Chrome browser: "Error — A sequence has been detected that could mean a hacker attack. your request cannot be processed." I have confirmed that this text is in your en-GB language file.

I have confirmed that Line Comment entries are in the log which relate to the page. Though I am not able to reproduce this error in Firefox on a Mac.

The link is in this format:
https://oursite.com/training/item/the-event-page.html?utm_source=Our+Site-Name+Newsletters&utm_campaign=1122fdfba1-EMAIL_CAMPAIGN_2018_07_26_05_48_COPY_01&utm_medium=email&utm_term=0_2u3i1uuu-1122953&fbclid=IwAR1c--DUtnPbiTdEb_wBiZa5W9gik9w2owdtvMDQPObgvP2Sv9tv5AfgtHM

Not sure if this is SCP or a Chrome issue. Your thoughts?
Last edit: 1 week 2 days ago by azurelinksc.

Please Log in or Create an account to join the conversation.

More
1 week 2 days ago #8297 by Jose
Hi azurelink,

It's a false positive of SCP caused by the -- inserted in the link. Those characters are used to enclose sql attacks and this is why the firewall thinks it's an attack.

Just enable the 'Easy config' feature from main panel of Securitycheck Pro to avoid this issue.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
1 week 2 days ago - 1 week 2 days ago #8298 by azurelinksc
I'm not sure if I want to change to the Easy Config settings. To overcome this while I waited for your response, I set the SQL Injection Line Comments filter to exclude the com_k2 component. Is that problematic? Btw, awhile back you modified SCP to change the List priority to have Whitelist as the first priority. Is that in version 3.2? And what are the second and third priorities? I have Whitelist/Dynamic Blacklist/Blacklist. What priorities does Easy Config set? I also wonder if changing the "--" to "-" would break the link? I'll check with Google, too.
Last edit: 1 week 2 days ago by azurelinksc. Reason: More info

Please Log in or Create an account to join the conversation.

More
1 week 1 day ago #8299 by Jose
Hi azurelink,

Sorry for the delay in getting back to you. I have just realizaed I didn't reply to you.

To overcome this while I waited for your response, I set the SQL Injection Line Comments filter to exclude the com_k2 component. Is that problematic?

No, that's the other way to solve this issue.

Btw, awhile back you modified SCP to change the List priority to have Whitelist as the first priority. Is that in version 3.2? And what are the second and third priorities?

Yes, I changed priorities a couple of versions ago. Someone told me it had no sense to have blacklist as first priority and he was right. This way if you whitelist an ip access will be granted by default.

What priorities does Easy Config set?

The 'Easy config' feature only disables most conflictive firewall rules (this is those that cause more false positives). Those rules only protect agains very rare attacks and require more attention.

I also wonder if changing the "--" to "-" would break the link?

Yes, probably will break the link.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
1 week 1 day ago - 1 week 1 day ago #8300 by azurelinksc
Thanks Jose, yes, that was me who questioned the List prioritorization with regard to Blacklist first.
So if I change to Easy Config, how best to handle the .htaccess file currently in use? Should I place a clean version and then re-protect it with SCP? And will the new config get rid of my admin URL keyword protection? Any other custom filters need to be remade? I can also confirm that the change I made to the SQL Injection Line Comments filter above did in fact solve the problem. But I worry about whether it means all K2 URLs are now NOT protected. I guess the obvious question is what is different between the Easy Config method and my com_k2 filter exception? Which method is more secure?
Last edit: 1 week 1 day ago by azurelinksc. Reason: Added more text.

Please Log in or Create an account to join the conversation.

More
1 week 1 day ago #8301 by Jose

Thanks Jose, yes, that was me who questioned the List prioritorization with regard to Blacklist first.

You're welcome! As you can see every customer feedback is taken into consideration :)

So if I change to Easy Config, how best to handle the .htaccess file currently in use? Should I place a clean version and then re-protect it with SCP? And will the new config get rid of my admin URL keyword protection? Any other custom filters need to be remade?

Enabling the 'Easy config' does not require any other change. All of the other settings will remain applied. In fact, you can enable this feature and after disabling it you will get the same config previously set.

I guess the obvious question is what is different between the Easy Config method and my com_k2 filter exception? Which is method is more secure?

Both are secure. I prefer adding exceptions for false positives (as you did) instead enable the 'Easy config', but for non technical users, e-commerce sites or for those with no time to monitorize the site the 'Easy config' option is the option to be taken.

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.122 seconds
Powered by Kunena Forum

Login or Sign In