File: htdocs/xoops_lib/modules/protector/README

[mlimg]
[xlang:en]
= SUMMARY =

Protector is a module to defend your XOOPS CMS from various and malicious attacks.

This module can protect a various kind of attacks like:

- DoS
- Bad Crawlers (like bots collecting e-mails...)
- SQL Injection
- XSS (not all though)
- System globals pollution
- Session hi-jacking
- Null-bytes
- Directory Traversal
- Some kind of CSRF (fatal in XOOPS <= 2.0.9.2)
- Brute Force
- Camouflaged Image File Uploading (== IE Content-Type XSS)
- Executable File Uploading Attack
- XMLRPC's eval() and SQL Injection Attacks
- SPAMs for comment, trackback etc.

Protector defends you CMS from these attacks, and it records into its log. 

Of course, all vulnerablities can't be prevented.
Be not overconfident, please.

However, I [color=ff0000][b]strongly[/b][/color] recommend installing this module to all XOOPS/ImpressCMS/XCL sites with any versions.



= INSTALL =

First, define XOOPS_TRUST_PATH into mainfile.php if you've never done it yet.

Copy html/modules/protector in the archive into your XOOPS_ROOT_PATH/modules/
Copy xoops_trust_path/modules/protector in the archive into your XOOPS_TRUST_PATH/modules/

Turn permission of XOOPS_TRUST_PATH/modules/protector/configs writable

After Protector is installed, edit your mainfile.php like this:
[code]
	[color=ff0000]include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;[/color]
	if (!isset($xoopsOption['nocommon']) [color=0000ff]&& XOOPS_ROOT_PATH != ''[/color] ) {
		include XOOPS_ROOT_PATH."/include/common.php";
	}
	[color=ff0000]include XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php' ;[/color]
[/code]
Just add two red-colored lines.
If the blue-colored part is different from your mainfile.php, don't mind it.

Both pre-check and post-check are needed.

An option "DENY by .htaccess" is added on version 2.34.
If you try this option, set writable XOOPS_ROOT_PATH/.htaccess
Before installing this, you should compare it to the security risks which .htaccess is writable.


= How to recover from banning =

If you've been banned from Protector, just delete files under XOOPS_TRUST_PATH/modules/protector/configs/

The setting and controller of "rescue password" has been eliminated.

----------------------------------

= UPGRADE from Protector 2.x =

- remove two lines for Protector from your mainfile.php
- remove all files under XOOPS_ROOT_PATH/modules/protector/ via FTP etc.
- upload files in the archive (refer INSTALL)
- do "upgrade" Protector in modulesadmin
- add two lines for Protector into your mainfile.php

Note: "XOOPS_TRUST_PATH" for 3.0 instead of "XOOPS_ROOT_PATH" for 2.x


= Using filter-plugin =

You can try filter-plugins in XOOPS_TRUST_PATH/modules/protector/filters_byconfig/ just by copying them into filters_enabled.
Since XOOPS_TRUST_PATH can be shared by multi-sites, you may want to set a filter enabled for a site but disabled for the other site.
If you want to turn a filter on for a specific site, input the name of the filter into Protector's preferences.
Of course, you can make filter-plugins as you like because it is easy to create.

Here is an introduction for filter-plugins in this archive.

- postcommon_post_deny_by_rbl.php
an anti-SPAM plugin.
All of Post from IP registered in RBL will be rejected.
This plugin can slow the performance of Post, especially chat modules.

- postcommon_post_deny_by_httpbl.php
an anti-SPAM plugin.
All of Post from IP registered in http:BL will be rejected.
Before using it, get HTTPBL_KEY from http://www.projecthoneypot.org/ and set it into the filter file.
define( 'PROTECTOR_HTTPBL_KEY' , '............' ) ;

- postcommon_post_need_multibyte.php
an anti-SPAM plugin.
Post without multi-byte characters will be rejected.
This plugin is only for sites of japanese, tchinese, schinese, and korean.

-postcommon_post_htmlpurify4guest.php
All post data sent by guests will be purified by HTMLPurifier.
If you allow guests posting HTML, I strongly recommend you to enable it.

-postcommon_register_insert_js_check.php
This plugin prevents your site from robot's user registering.
Required JavaScript working on the vistors browser.

-bruteforce_overrun_message.php
Specify a message for visitors tried wrong passwords more than the specified times.
All plugins named *_message.php specifys the message for rejected accesses.

-precommon_bwlimit_errorlog.php
When band width limitaion works unfortunately, this plugin logs it into Apache's error_log.
All plugins named *_errorlog.php log some informations into Apaches error_log.


= NEW FEATURE SINCE 3.3: DBLayer trapping anti-SQL-Injection

This feature can beat almost malicious SQL Injection attacks if you uses some modules vulnerable to "SQL Injection".

However, you have to patch a file "class/database/databasefactory.php" to enable the feature.

I prepared patches/ folder, and it contains patched databasefactory.php for each cores.

Of course, I welcome if each core teams adpot the patches as HEAD :-)

The latest version of these cores are ready for this feature:

- XCL2.1.x
- ImpressCMS 1.x

Thank you minahito and marcan!


= CHANGES =

3.50 beta (2009/11/17)
- modified filters can be turned on/off by preferences of Protector
- moved filters under filters_disabled/ into filters_byconfig/
- added manipulation checker against ftp worms or silent raiders

3.41 (2009/11/17)
- fixed some swf/swc files are confused often
- added language files
-- polish_utf8 (thx jagi)

3.40 (2009/09/16)
- numbered as a STABLE version
- renamed from "Xoops Protector" to "Protector" simply
- modified module icons for some forked cores (thx rene)
- modified postcommon_post_need_multibyte with func_overload (thx orange) 3.40a
- updated language files
-- spanish (thx Colossus) 3.40b

3.36 beta (2009/08/27)
- updated HTMLPurifier into 4.0.0
- added a filter postcommon_post_htmlpurify4everyone.php
- added a filter postcommon_post_register_moratorium.php 3.36a
- updated language files
-- persian (thx voltan) 3.36a

3.35 beta (2009/08/13)
- fixed english modinfo.php is always loaded. (thx Phoenyx)
- modified comment attacking detection of DBL anti-SQL-Injection again
- defined some constants for detecting Protector's mode for module maintainers
-- PROTECTOR_ENABLED_ANTI_SQL_INJECTION
-- PROTECTOR_ENABLED_ANTI_XSS
- updated language files
-- arabic (thx Onasre) 3.35a

3.34 beta (2009/07/06)
- modified comment attacking detection of DBL anti-SQL-Injection
- added an option for some environment always enables DBL trapping

3.33 beta (2009/04/03)
- stopped to force rewriting PHP_SELF and PATH_INFO (thx nao-pon)
- added checking PHP_SELF into bigumbrella anti-XSS
- added a constant PROTECTOR_VERSION
- modified compatibities with ImpressCMS (thx vaughan)
- fixed "none" option for F5Attack and Crawler cannot work finen (thx ChaFx)
- turned default value of bugumbrella anti-XSS on

3.32 beta (2009/01/27)
- fixed DBL anti-SQL-Injection is skipped on condition nocommon=1 (thx naao)
- updated language files
-- persian (thx voltan)
-- de_utf8 (ths Rene) 3.32a

3.31 beta (2009/01/20)
- fixed DBL anti-SQL-Injection's wrong detection by db->quiteString() with "
- updated language files
-- spanish (thx Colossus)

3.30 beta (2009/01/14)
- added DBLayer trapping anti-SQL-Injection
- added a filter precommon_bwlimit_errorlog.php
- added a filter precommon_badip_errorlog.php
- updated language files
-- spanish (thx Colossus)
- modified precommon_bwlimit_*.php returns 503 error (thx Colossus) 3.30a

3.22 (2008/12/03)
- modified the condition the cookie 'deleted' is sent as autologin_uname
- added a checker for the privacy of XOOPS_TRUST_PATH into the Advisory
- added language files
-- nederlands (thx Cath)
- updated language files
-- persian (thx voltan) 3.22a
- modified page navigation (thx McDonald) 3.22a

3.21 (2008/11/21)
- added a preferences for bandwidth limitation
- enabled precommon_badip_message.php as default
- modified messages by precommon filter
- updated language files
-- spanish (thx Colossus) 3.21a
- fixed fatal typo in protector.php (thx rohi) 3.21a

3.20 (2008/09/17)
- numbered as a stable version
- updated language files
-- arabic (onasre)
- fixed language files
-- de_utf8
- added language files
-- italian (thx Defcon1) 3.20a
- added a method isMobile() into ProtectorFilterAbstract 3.20b

3.17 beta (2008/04/24)
- modified URLs with the same hostname as XOOPS_URL are not counted as URI SPAM
- updated language files
-- persian (thx stranger and voltan) 3.17a
- added language files
-- de_utf8 (thx wuddel) 3.17a

3.16 beta (2008/01/08)
- added a filter postcommon_post_deny_by_httpbl for antispam by honeypotproject
- updated language files
-- polish (thx kurak_bu)

3.15 beta (2007/10/18)
- added "compact log"
- added "remove all log"
- added language files
-- fr_utf8 (thx gigamaster)

3.14 beta (2007/09/17)
- imported HTMLPurifier (special thx! Edward Z. Yang) PHP5 only
- added filtering point (spamcheck, crawler, f5attack, bruteforce, purge)
- added filter plugins
-- postcommon_post_htmlpurify4guest (guest's post will be purified) only PHP5
-- spamcheck_overrun_message
-- crawler_overrun_message
-- f5attack_overrun_message
-- bruteforce_overrun_message
-- prepurge_exit_message

3.13 beta (2007/08/22)
- modified the filter structure from function to class
- added filtering point (badip, register)
- added filter plugins
-- postcommon_register_insert_js_check (against registering SPAM)
-- precommon_badip_message (displays a message on rejecting the IP)
-- precommon_badip_redirection (redirects somewhere on rejecting the IP)

3.12 beta (2007/08/16)
- fixed for controllers with $xoopsOption['nocommon']=true

3.11 beta (2007/08/16)
- modified ordering precheck and postcheck
- removed a rbl server from postcommon_post_deny_by_rbl.php
- added language files
-- french (thx Christian)

3.10 beta (2007/07/30)
- modified precheck getting config via local cache
- modified precheck does not connect MySQL as possible
- fixed "reliable IP" does not work well
- modified mainfile patch can be inserted before protector installation
- added a logic to check some folder's permission on installing protector
- modified IP denying pattern. 'full', 'foward match', and 'preg match'
- added denied IP moratorium
- added a warning if the directory for configs is not writable

3.04 (2007/06/13)
- added a check against the phpmailer command-injection vulnerability.
- modified postcommon_post_need_multibyte (3.04a)

3.03 (2007/06/03)
- added a protection against installer attack
- changed language name
-- ja_utf8 (formerly japaneseutf) 3.03a

3.02 (2007/04/08)
- modified compatibility of the option "force_intval"
- fixed wrong link in advisory.php (thx genet)
- added a method module can skip DoS/crawler check (define a constant)
- updated D3 system
- added language files
-- persian (thx voltan)
-- russian (thx West) 3.02a
-- arabic (thx onasre) 3.02b
-- japaneseutf 3.02c

3.01 (2007/02/10)
- modified the rule for sorting IPs
- added language files
-- portuguesebr (thx beduino)
-- spanish (thx PepeMty)
-- polish (thx kurak_bu) 3.01a
-- german (thx wuddel) 3.01b
- modified module_icon.php 3.01c
- fixed typo in module_icon.php 3.01d

3.00 (2007/02/06)
- marked as a stable version
- fixed typo in log level
- fixed multibyte plugin never denies registered users (thx mizukami)
- modified compatibility with 2.2.x from xoops.org 3.00a

3.00beta2 (2007/01/31)
- added plugin system (just postcommon_post_*)
- added filtering-plugins
-- postcommon_post_deny_by_rbl.php (deny SPAM by RBL)
-- postcommon_post_need_multibyte.php (deny SPAM by character type)

3.00beta (2007/01/30)
- moved almost files under XOOPS_TRUST_PATH
- modified denying IP from DB to a file under configs
- removed rescue feature (just remove a file via FTP)
- added allowed IPs for user of group=1
- modified table structures (compatible MySQL5)
- added BigUmbrella anti-XSS system
- added anti-SPAM feature

= THANKS =
 - Kikuchi  (Traditional Chinese language files)
 - Marcelo Yuji Himoro (Brazilian Portuguese and Spanish language files)
 - HMN (French language files)
 - Defkon1 (Italian language files)
 - Dirk Louwers (Dutch language files)
 - Rene (German language files)
 - kokko (Finnish language files)
 - Tomasz (Polski language files)
 - Sergey (Russian language files)
 - Bezoops (Spanish language files)
These contributions was made for v2.x
I'm appreciated new language files for v3.0 :-)

Moreover, I thank to JM2 and minahito -zx team- about having taught me kindly.
You are very great programmers!


[/xlang:en][xlang:ja]

???

Protector ??XOOPS2??????CMS?????????????????????????

?????????????????????

- DoS
- ?????????????????????
- SQL Injection
- XSS ?????????????????
- ?????????????
- ???????????
- ???????
- ??????????
- ????????CSRF (XOOPS 2.0.9.2?????????)
- Brute Force ???????????
- ????????????????? (?????IE Content-Type XSS)
- ????????????????????
- XMLRPC??
- ????SPAM/???????SPAM??????SPAM

????????????XOOPS2???CMS?????????????

??????????????????????????????????
???3rd???????????????????????????????????????????????????????????

???????????????XOOPS2???CMS????????????????[color=ff0000][b]??[/b][/color]???????



?????

?????????XOOPS_TRUST_PATH?????????

??????html???XOOPS_ROOT_PATH?????????????xoops_trust_path???XOOPS_TRUST_PATH?????????

???????????????????????????????????

????????????????????????mainfile.php ????????????????????????

Protector ?????????????XOOPS2???CMS? mainfile.php ?????????
[code]
	[color=ff0000]include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;[/color]
	if (!isset($xoopsOption['nocommon']) [color=0000ff]&& XOOPS_ROOT_PATH != ''[/color] ) {
		include XOOPS_ROOT_PATH."/include/common.php";
	}
	[color=ff0000]include XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php' ;[/color]
[/code]
????????????????????

?????????????????????????????????????????????????????

?????3???????????????IP??????????????????XOOPS_TRUST_PATH/modules/protector/configs ????????????Protector???IP?????????????????????????

?????????????????IP?????????????????????2?????????????????????????????3????FTP?? XOOPS_TRUST_PATH/modules/protector/configs ?????????????????????

2.34????????.htaccess???DoS????????????????????????????XOOPS_ROOT_PATH???.htaccess????????????????????????.htaccess????????????????????????????


?XOOPS Cube Legacy 2.1????????

???????????
mainfile.php ???????????????????????????????????
[code]
    if (!defined('_LEGACY_PREVENT_LOAD_CORE_') && XOOPS_ROOT_PATH != '') {
        include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;
        @include_once XOOPS_ROOT_PATH.'/include/cubecore_init.php';
        if (!isset($xoopsOption['nocommon']) && !defined('_LEGACY_PREVENT_EXEC_COMMON_')) {
            include XOOPS_ROOT_PATH.'/include/common.php';
        }
        include XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php' ;
    }
[/code]


?ImpressCMS????????

mainfile.php ??????????????
?????? extras/ImpressCMS/preload/protector.php ???????ImpressCMS?preload???????????????

preload????????vaughan???????


??????2???????????

???mainfile.php ???Protector???????????????

???????XOOPS_ROOT_PATH/modules/protector/ ???????????????

??????????????????????????????

??????????????????Protector????????????????

???????mainfile.php?????precheck???postcheck????????????????2???XOOPS_ROOT_PATH ???????????????3???XOOPS_TRUST_PATH ?????????????????


??????????????

V3???XOOPS_TRUST_PATH/modules/protector/filters_enabled/ ????????????????????????????????????????????????????????????????????

????????????????????????????????????????????????

- postcommon_post_deny_by_rbl.php
???????
RBL?????POST??????
RBL??????IP?????????SPAM???????????????????????????????????????????Chat????????????

- postcommon_post_deny_by_httpbl.php
???????
http:BL?????POST??????
?????????????????????
define( 'PROTECTOR_HTTPBL_KEY' , '............' ) ;
???????????HTTPBL_KEY??http://www.projecthoneypot.org/ ???????????

-postcommon_post_need_multibyte.php
???????
??????????????????????????
???????????????100byte???????????SPAM????????

-postcommon_post_htmlpurify4guest.php
??????POST???????????HTMLPurifier??????????????
????HTML????????????????????????????

-postcommon_register_insert_js_check.php
?????????????????????
?????????????????JavaScript???????????????

-bruteforce_overrun_message.php
??????????????????????????????*_message.php ?????????????????????????????????????????

-precommon_bwlimit_errorlog.php
??????????????????Apache?????????????
*_errorlog.php ?????????????????????????????????????????


?????XOOPS_TRUST_PATH/modules/protector/filters_byconfig/ ????????????????filters_enabled ???????????
XOOPS_TRUST_PATH???????????????????????????????????????????????????
??????Protector????????????????????????????????????????????????????


?3.3??????: DB????????anti-SQL-Injection

Protector-3.3???????????????????????SQL Injection???????????????????????????SQL Injection??????????????????????????????????????????????????

???????????????????????????????????????????????

patches/ ????????????????????????????????????????????????????????????????????????

??????????????????????HEAD???????????????????????????????????????????????????

?????????????????????????????????????????????????

- XCL2.1.x
- ImpressCMS 1.x


?????

3.50 beta (2009/11/17)
- ?????Protector???????????ON/OFF????????????
- filters_disabled ?????????????filters_byconfig?????
- FTP??????????????????????????

3.41 (2009/11/17)
- swf?????????????????
- ????????
-- polish_utf8 (thx jagi)

3.40 (2009/09/16)
- ??????????????
- "Xoops Protector" ?????????????? "Protector" ??????
- ImpressCMS???XCL??????????? (thx rene)
- ??????postcommon_post_need_multibyte???????? (thx orange) 3.40a
- ????????
-- spanish (thx Colossus) 3.40b

3.36 beta (2009/08/27)
- HTMLPurifier ? 4.0.0 ???
- ???????
-- postcommon_post_htmlpurify4everyone.php (POST???HTMLPurifier?????)
-- postcommon_post_register_moratorium.php (?????URL????????) 3.36a
- ????????
-- persian (thx voltan) 3.36a

3.35 beta (2009/08/13)
- ImpressCMS??modinfo.php??????????????? (thx Phoenyx)
- DBLT-ASI??????????????????????????????
- ???????????????Protector???????????????????
-- PROTECTOR_ENABLED_ANTI_SQL_INJECTION
-- PROTECTOR_ENABLED_ANTI_XSS
- ????????
-- arabic (thx Onasre) 3.35a

3.34 beta (2009/07/06)
- DB????????anti-SQL-Injection(DBLT-ASI)????????????????
- DB???????????ON??????????????????????

3.33 beta (2009/04/03)
- PHP_SELF?PATH_INFO????????????? (thx nao-pon)
- PHP_SELF?????anti-XSS???????
- PROTECTOR_VERSION ????Protector?????????????????
- ImpressCMS ???????????HTMLPurifier???????? (thx vaughan)
- F5Attack??????????????????????????? (thx ChaFx)
- ????Anti-XSS????????????

3.32 beta (2009/01/27)
- nocommon????DB????????anti-SQL-Injection??????? (thx naao)
- ????????
-- persian (thx voltan)

3.31 beta (2009/01/20)
- ??????????????????????SQL Injection???????????
- ????????
-- spanish (thx Colossus)

3.30 beta (2009/01/14)
- DB????????anti-SQL-Injection?????
- ??????????????????????????????????
- ??IP???????????????????????????????
- ????????
-- spanish (thx Colossus)
- ???????????????503??????????? (thx Colossus) 3.30a

3.22 (2008/12/03)
- ????????'deleted'?????????BruteForce??????????
- ??????????XOOPS_TRUST_PATH??????????????????????
- ????????
-- nederlands (thx Cath)
- ????????
-- persian (thx voltan) 3.22a
- ?????????????????? (thx McDonald) 3.22a

3.21 (2008/11/21)
- ????????????
- IP BAN??????????????????????????????
- precommon?????????????????
- ????????
-- spanish (thx Colossus) 3.21a
- ??IP??????????????????? (thx rohi) 3.21a

3.20 (2008/09/17)
- ???????????????????
- ????????
-- arabic (onasre)
- ????????
-- de_utf8
- ????????
-- italian (thx Defcon1) 3.20a
- ???????? isMobile() ?ProtectorFilterAbstract?????? 3.20b

3.17 beta (2008/04/24)
- URI SPAM????????????????????????
- ????????
-- persian (thx stranger and voltan) 3.17a
- ????????
-- de_utf8 (thx wuddel) 3.17a

3.16 beta (2008/01/08)
- SPAM??????? postcommon_post_deny_by_httpbl (honeypotproject.org?BL??)
- ????????
-- polish (thx kurak_bu)

3.15 beta (2007/10/18)
- ???????????
- ????????
- ????????
-- fr_utf8 (thx gigamaster)

3.14 beta (2007/09/17)
- HTMLPurifier?? (special thx! Edward Z. Yang) ?PHP4???????????
- ???????????? (spamcheck, crawler, f5attack, bruteforce, purge)
- ????????????
-- ??????????HTMLPurifier??????????? (PHP5??)
-- SPAM????????????????????????????????
-- ??????????????????????????????????????
-- F5????????????????????????????????????
-- ???????????????????????????????????
-- ??????????????????????????????????????

3.13 beta (2007/08/22)
- ??????????????????????????
- ???????????? (badip, register)
- ????????????
-- ???????JavaScript?????????????(?????SPAM??)
-- ??IP?????????????????
-- ??IP???????????????

3.12 beta (2007/08/16)
- $xoopsOption['nocommon'] ???????????????

3.11 beta (2007/08/16)
- mainfile.php ??????precheck?postcheck??????????????
- RBL?????????????niku.2ch.net???
- ????????
-- ????? (thx Christian)

3.10 beta (2007/07/30)
- precheck?config??????????????????????
- MySQL?????????????????
- ?????IP????????????????
- ???????mainfile??????????????????????
- ????????????????????????????????????????
- ??IP?????????????????????????????????
- ??IP?????????
- configs????????????????????Warning???

3.04 (2007/06/13)
- phpmailer???????????????????????
- postcommon_post_need_multibyte ??????????????? (3.04a)

3.03 (2007/06/03)
- ???????????????????
- ?????
-- ja_utf8 (???japaneseutf) 3.03a

3.02 (2007/04/08)
- ID??????????????????????
- ??????????????????
- DoS/crawler????????????????????????????
- D3???????????
- ????????
-- persian (thx voltan)
-- russian (thx West) 3.02a
-- arabic (thx onasre) 3.02b
-- japaneseutf 3.02c

3.01 (2007/02/10)
- IP?????????
- ????????
-- portuguesebr (thx beduino)
-- spanish (thx PepeMty)
-- polish (thx kurak_bu) 3.01a
-- german (thx wuddel) 3.01b
- module_icon.php ????????? 3.01c
- module_icon.php ?typo?? 3.01d

3.00 (2007/02/06)
- ???????????
- ????????????
- ??????????????????POST?????????? (thx mizukami)
- ???2.2.x????????? 3.00a

3.00beta2 (2007/01/31)
- ???????????? (????? postcommon_post_* ????????)
- ?????????????
-- postcommon_post_deny_by_rbl.php (RBL???IP????SPAM??)
-- postcommon_post_need_multibyte.php (???????SPAM??)

3.00beta (2007/01/30)
- XOOPS_TRUST_PATH????????????
- IP??????????????(configs???????)?????
- ????1????IP?????????????????????????
- ?????????? ?3.0?????FTP??????????????????
- ????????? (MySQL5??)
- BigUmbrella anti-XSS ???
- ????????????SPAM??????
- Cube 2.1 Legacy RC ??????


???
 - Kikuchi (?????????)
 - Marcelo Yuji Himoro (?????????????????????)
 - HMN (?????????)
 - Defkon1 (?????????)
 - Dirk Louwers (?????????)
 - Rene (????????)
 - kokko (???????????)
 - Tomasz (??????????)
 - Sergey (????????)
 - Bezoops (?????????)
 (????????2????????????????????3??????????????????
 - beduino (???????????????)
 - PepeMty (?????????)
 - kurak_bu (??????????)
 - wuddel (????)
 - voltan&stranger (?????)
 - onasre (?????)


??????????????????????????????????zx???????????JM2???minahito???????????????


[/xlang:ja]