Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.4.x
Author Message
Dauthus
Worker
Worker



Joined: Oct 07, 2003
Posts: 211

PostPosted: Sun Jun 25, 2006 9:55 pm Reply with quote

I have the gallery2 module running in my Nuke 7.6 pl 3.1 site. For some reason when I try and add an image to my albums, I am triggering sentinel as attempting to bypass the Filter System on the site

The string is as follows:
[ Only registered users can see links on this board! Get registered or login! ]

Right now, sentinel won't allow members to upload images to their albums. Any suggestions for a possible fix for this?

_________________
Image
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Jun 25, 2006 10:37 pm Reply with quote

I think this is one of the functionalities of sentinel and to edit or disable this would leave your site wide open to an attack.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Mon Jun 26, 2006 9:24 am Reply with quote

The internal "http://" value in your query string is what has tripped this. I just wish Gallery wouldn't do this! I do not understand why they needed to architect it this way.

If you open up your includes/nukesentinel.php script, look for the following code:

Code:


  // Check for XSS attack
  if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)


The line right below this last line in your pl9 version of NS has a specific OR statement to look for http anywhere within the query string. You can, at your own risk, comment that line out.

You could play around with this and may add a check for name=Gallery2 in there so that you are still protected with this line outside of Gallery2.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles



Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Jun 26, 2006 9:45 am Reply with quote

Untested, but it should work:

Replace all this:
Code:
eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)

  OR eregi("http\:\/\/", $ublock) OR eregi("http\:\/\/", $phpbb_root_path)


With:
Code:
(eregi("http\:\/\/", $nsnst_const['query_string']) AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2"))

_________________
Nuke-Evolution
phpBB-Evolution / phpBB-Evolution Blog 
View user's profile Send private message
Dauthus







PostPosted: Mon Jun 26, 2006 12:05 pm Reply with quote

Thanks for all the help.

technocrat, I don't have the
Code:
OR eregi("http\:\/\/", $ublock) OR eregi("http\:\/\/", $phpbb_root_path)

in my version of sentinel.php. (pl9)

I am going to try and add the gallery2 module in there somewhere with a NOT operator and see what happens.
 
Dauthus







PostPosted: Mon Jun 26, 2006 12:50 pm Reply with quote

Ok, here's what I ended up doing. I would appreciate it if the experts here would check it and make sure I didn't screw up anything. I did check it and it works. I can upload images fine. I also checked the XSS by clicking on a referrer link in the admin and still ended up being banned, so I think it only allows the gallery2 module.

This is pretty much using technocrat's suggestion and montego's input.

Code:
// Check for XSS attack

  if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
  // Added protection for gallery2 module
  //OR stristr($nsnst_const['query_string'], "http://")
  OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2"))
  // END gallery2 protection
  OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
  OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
  OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
    block_ip($blocker_row);
  }
}


Thanks for any and all help.
 
technocrat







PostPosted: Mon Jun 26, 2006 12:54 pm Reply with quote

That should work all you need to do is test it
modules.php?name=http://
modules/Forums/admin/index.php?phpbb_root_path=http://
Should both trigger sentinel
 
gregexp







PostPosted: Mon Jun 26, 2006 4:40 pm Reply with quote

Tech, I tried the phpbb link and I just got an illegal operation, the other one I just simply got banned(this one is ok I think)

Is this how its supposed to occur?
 
technocrat







PostPosted: Mon Jun 26, 2006 4:50 pm Reply with quote

You should be getting banned and if you are not then you have a problem.

I changed it to an eregi for a test and it worked fine with everything so here is what I have:
Code:
if ((eregi("http\:\/\/", $nsnst_const['query_string']) && !stristr($nsnst_const['query_string'], "modules.php?name=gallery2")) OR

  (stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd")) OR
  (stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu")) OR
  stristr($nsnst_const['query_string'],"concat") AND
  !stristr($nsnst_const['query_string'], "../")) {
 
gregexp







PostPosted: Mon Jun 26, 2006 5:00 pm Reply with quote

actually..I didnt get banned at all..just blocked
 
technocrat







PostPosted: Mon Jun 26, 2006 5:01 pm Reply with quote

I thought about it and found that this would be much safer:
Code:
if ((eregi("http\:\/\/", $nsnst_const['query_string']) && substr($nsnst_const['query_string'],0,strlen("name=gallery2")) != 'name=gallery2') OR

  (stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd")) OR
  (stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu")) OR
  stristr($nsnst_const['query_string'],"concat") AND
  !stristr($nsnst_const['query_string'], "../")) {
 
technocrat







PostPosted: Mon Jun 26, 2006 5:02 pm Reply with quote

darklord wrote:
actually..I didnt get banned at all..just blocked

You get the sentinel message or the actual forum admin not working?
 
gregexp







PostPosted: Mon Jun 26, 2006 5:13 pm Reply with quote

it says unknown blocker duration...now this is wierd
 
gregexp







PostPosted: Mon Jun 26, 2006 5:17 pm Reply with quote

niether are working now...i dont get blocked by the filter
 
gregexp







PostPosted: Mon Jun 26, 2006 5:31 pm Reply with quote

anything else u can throw my way to help me test this blocker?
 
technocrat







PostPosted: Mon Jun 26, 2006 5:39 pm Reply with quote

That should be working. Did you turn off the filter blocker? Are you sure you coppied the if statement correctly? Is everything else in Sentinel working?
 
gregexp







PostPosted: Mon Jun 26, 2006 5:51 pm Reply with quote

After checkin the server Bang Head I found that its being attacked and simply may not be able to write to the database. Curious why it isnt writing it to .htaccess though. I will continue to monitor and see if this is the case or if any edits need to be made, perhaps its my server.

And yes I copied it all correct and not sure if anything else is working because I'm not too sure what will trip sentinel's blockers, Yes they are active.
 
Dauthus







PostPosted: Mon Jun 26, 2006 7:53 pm Reply with quote

technocrat wrote:
That should work all you need to do is test it
modules.php?name=http://
modules/Forums/admin/index.php?phpbb_root_path=http://
Should both trigger sentinel


Just for reference the first link triggered the Filter Abuse, the second just gave me an illegal operation also.

The only change that has ever been made to the sentinel install is the one listed above.

I tried the same links with a virgin sentinel (pl9) install and it came up with the exact same thing.
 
technocrat







PostPosted: Tue Jun 27, 2006 10:35 am Reply with quote

There was a problem with the upgrade and the full version not matching when it first came out.

Here is the default if as it is right now:
Code:


  // Check for XSS attack
  if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
  OR stristr($nsnst_const['query_string'], "http://")
  OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
  OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
  OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


stristr($nsnst_const['query_string'], "http://") Should be catching the phpbb hack
 
Dauthus







PostPosted: Tue Jun 27, 2006 6:21 pm Reply with quote

That's what I was saying. The code you just posted is what I have in my virgin nukesentinel.php file. The web page is kicked back with an "illegal operation" message. It doesn't trigger sentinel.
 
montego







PostPosted: Tue Jun 27, 2006 8:56 pm Reply with quote

Actually, I had a really long response already typed up when I looked back above in the original hack test attempts. The second hack attempt bypasses NS because mainfile.php is not included. It is a direct access hack attempt.
 
technocrat







PostPosted: Wed Jun 28, 2006 9:46 am Reply with quote

It should be index.php->pagestart.php->mainfile.php->nukesentinel.php
 
montego







PostPosted: Thu Jun 29, 2006 6:41 am Reply with quote

Embarassed You are correct technocrat (should have known that!). Ok, that is not good...
 
technocrat







PostPosted: Thu Jun 29, 2006 7:19 am Reply with quote

No its not, it's a bit concerning Sad

But as long as you have something over writing phpbb_root_path RIGHT AFTER the mainfile include the hack will not work. But it is important to try and track down the reason Sentinel is not protecting you.
 
gregexp







PostPosted: Thu Jun 29, 2006 5:45 pm Reply with quote

uhh, I did a fresh install of sentinel. and tested it again and its still not working like your saying but everything else in sentinel works just fine, except the forums, </scr ipt> is allowed in my forums, and it seems this is also and man im gettin worried, I cant see it being a problem with the mainfile edits as it works with every other part of my site.

Any ideas?
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.4.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©