Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
mrix
Client


Joined: Dec 04, 2004
Posts: 757

PostPosted: Sat Mar 11, 2006 3:02 am Reply with quote

Hello all, I find it hard to believe that with the latest phpnuke 7.6 and the latest patch with the latest sentinal that somehow peope can come along as Anonymous and add loads of sex adds to my reviews section of my site I have having to delete these adds everyday now and there is loads of them I have set the reviews for regestered only but Anonymous still can add the reviews even though I am ment to except posted reviews first.
Any idea`s all ??
thanks for any help
mrix
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Mar 11, 2006 7:24 am Reply with quote

no, you cannot stop this.
when you have certain settings set to public then your opening the door to these types of submissions.
A bad words list wouldnt help also.

Only thing left is to ban on ip and disallow any proxy...that will kill 98 percent.
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Mar 11, 2006 7:48 pm Reply with quote

FB "convenentially" left this out.. it was updated in newer versions of phpNuke.
If you are looking for a 7.6 Patched-compatible file, with these feature - I have one here. It should stop people from anonymously posting comments now
Only registered users can see links on this board! Get registered or login!

I expect this will be one of the things added to RavenNuke

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
sting
Involved
Involved


Joined: Sep 23, 2003
Posts: 456
Location: Somewhere out there...

PostPosted: Mon Mar 13, 2006 9:50 pm Reply with quote

Hey evaders, just a quick note - maybe you can point me in the right direction here.

The patched file that I am using (7.6 patch 3.2) worked well on first copy over - only things I have noticed - if there is a paren in the review title, you get the allowable html error.

Also, it may be a cookie issue for me but while the Anonymous poster is blocked - no wait - I think I may have figured it out - I think I am logged in as Admin, which gets me past the anonymous part, but it still posts a comment with "Posted by" and no user name... ha. So I am guessing one will only run into that problem if logged in as admin.

-sting

_________________
You see - I told you I wasn't paranoid. They were really out to get me. 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
sting
PostPosted: Mon Mar 13, 2006 9:55 pm Reply with quote

Ok - so that's not it - I was logged in as a user, also as admin - the anonymous does get blocked, but in the Review Comments section, the posted by user doesn't seem to be working.

Not sure why (as of yet..)

-sting
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Tue Mar 14, 2006 1:13 am Reply with quote

RN NEEDS something like this - 'nuff said.
I'll be looking at this too as soon as time allows.
 
View user's profile Send private message Send e-mail
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Tue Mar 14, 2006 6:08 am Reply with quote

BugTracker anyone????

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
evaders99
PostPosted: Tue Mar 14, 2006 8:33 am Reply with quote

Yes definitely will be included in 3.2's update for RavenNuke

I don't seem to have this problem. Weird.. sting, can you show me where this error is occuring?
I know there have been problems with unncessary titles being passed.. ultimately blocked by Sentinel. I've removed the unnecessary parts from Downloads and Web_Links - but if there's a problem with Reviews, I'll look into it too.
 
sting
PostPosted: Wed Mar 15, 2006 12:13 pm Reply with quote

Ok - which one are we talking about - the parenthesis in the title or the Posted by issue?

Either way - If you have a title like Movie (DVD), the parenthesis seem to throw something out of whack as the Allowable HTML error comes up.

The other just has a "Posted by on this date". As soon as I get some time to look into this one I will.

-sting
 
evaders99
PostPosted: Wed Mar 15, 2006 4:51 pm Reply with quote

I just added a Review with that title just fine. Weird.
Tell me if you figure out anything or need help with it. Will need to give me some idea how to duplicate the bug
 
providence
Regular
Regular


Joined: Apr 23, 2005
Posts: 95

PostPosted: Thu Apr 27, 2006 1:51 am Reply with quote

I was hit with this

i got hundreds of sex spams in my reviews

how can i disallow annonymous to post in reviews section?
 
View user's profile Send private message
Guardian2003
PostPosted: Thu Apr 27, 2006 2:20 am Reply with quote

providence - you can make a start by making changing the module to access to registered users.
 
evaders99
PostPosted: Thu Apr 27, 2006 7:34 am Reply with quote

Here's the fix I backported from newer phpNuke, will be added to RavenNuke's SVN shortly. This will sync with the option of anonymous comments in the Preferences

in modules/Reviews/index.php

FIND

Code:


function postcomment($id, $title) {
    global $user, $cookie, $AllowableHTML, $anonymous, $module_name;


REPLACE WITH

Code:


function postcomment($id, $title) {
   global $user, $cookie, $AllowableHTML, $anonymous, $module_name, $anonpost;
   if (!is_user($user) && $anonpost == 0) {
      include("header.php");
      title("$module_name");
      OpenTable();
      echo "<center><b>"._RESTRICTEDAREA."</b><br><br>"._MODULEUSERS."";
      CloseTable();
      include("footer.php");
      die();
   }


FIND

Code:


function savecomment($xanonpost, $uname, $id, $score, $comments) {
    global $anonymous, $user, $cookie, $prefix, $db, $module_name;


REPLACE WITH

Code:


function savecomment($xanonpost, $uname, $id, $score, $comments) {
   global $anonymous, $user, $cookie, $prefix, $db, $module_name, $user_prefix, $anonpost;
   if (!is_user($user) && $anonpost == 0) {
      include("header.php");
      title("$module_name");
      OpenTable();
      echo "<center><b>"._RESTRICTEDAREA."</b><br><br>"._MODULEUSERS."";
      CloseTable();
      include("footer.php");
      die();
   }
 
deech
New Member
New Member


Joined: Jul 24, 2005
Posts: 12

PostPosted: Tue May 02, 2006 8:47 am Reply with quote

Is there any way to delete all current Review comments?
 
View user's profile Send private message
Guardian2003
PostPosted: Tue May 02, 2006 11:55 am Reply with quote

You should see that option when logged in as an admin when in the reviews module - or you could delete the data directly from the database.
 
providence
PostPosted: Sat Jun 03, 2006 5:49 am Reply with quote

I have already changed the module to access registered users only, and it has stopped
thanks guardian!
 
Guardian2003
PostPosted: Sat Jun 03, 2006 7:38 am Reply with quote

Thanks for the update!
 
providence
PostPosted: Sun Jun 18, 2006 10:50 pm Reply with quote

Hey guys,

what if we add the captcha system when adding comments?

doesnt that stop bots?
 
Guardian2003
PostPosted: Sun Jun 18, 2006 11:11 pm Reply with quote

providence wrote:
Hey guys,

what if we add the captcha system when adding comments?

doesnt that stop bots?

It will stop most of them yes.
 
providence
PostPosted: Sun Jun 18, 2006 11:24 pm Reply with quote

is there already a script available for this ?
 
Guardian2003
PostPosted: Mon Jun 19, 2006 12:02 am Reply with quote

Not that I know of (I thought you were offering to do it Smile )
A quick fix is to change the module permissions to 'Registered User' but of course that means that the module will not get crawled.

This has actually been one of my personal gripes with nuke since I started using it but so much time gets taken up with debugging that hardly any time is left for, what I perosnally see as a 'must have' enhancement - or to put it nicely, a 'missing feature' Wink
 
providence
PostPosted: Mon Jun 19, 2006 12:20 am Reply with quote

Hehe, I would do it, but I dont know how

A quick fix was to change the module permission to registered users. but doesnt that hide the module from unregistered users?

I dont the spams, yet I dont like users to be forced to register just to read the reviews
 
hitwalker
PostPosted: Mon Jun 19, 2006 3:42 am Reply with quote

indeed,but thats a fact when you set it to registered...
the module as..reviews...can only be seen by registered logged in people.
 
thebishop
Worker
Worker


Joined: Aug 30, 2005
Posts: 243
Location: Flying to close to the sun

PostPosted: Thu Oct 26, 2006 5:31 am Reply with quote

evaders99 wrote:
Here's the fix I backported from newer phpNuke, will be added to RavenNuke's SVN shortly. This will sync with the option of anonymous comments in the Preferences

in modules/Reviews/index.php

FIND

Code:


function postcomment($id, $title) {
    global $user, $cookie, $AllowableHTML, $anonymous, $module_name;


REPLACE WITH

Code:


function postcomment($id, $title) {
   global $user, $cookie, $AllowableHTML, $anonymous, $module_name, $anonpost;
   if (!is_user($user) && $anonpost == 0) {
      include("header.php");
      title("$module_name");
      OpenTable();
      echo "<center><b>"._RESTRICTEDAREA."</b><br><br>"._MODULEUSERS."";
      CloseTable();
      include("footer.php");
      die();
   }


FIND

Code:


function savecomment($xanonpost, $uname, $id, $score, $comments) {
    global $anonymous, $user, $cookie, $prefix, $db, $module_name;


REPLACE WITH

Code:


function savecomment($xanonpost, $uname, $id, $score, $comments) {
   global $anonymous, $user, $cookie, $prefix, $db, $module_name, $user_prefix, $anonpost;
   if (!is_user($user) && $anonpost == 0) {
      include("header.php");
      title("$module_name");
      OpenTable();
      echo "<center><b>"._RESTRICTEDAREA."</b><br><br>"._MODULEUSERS."";
      CloseTable();
      include("footer.php");
      die();
   }


evaders, does this completely fix the issue of people being able to post comments in the reviews module under anonymous.

I'm running Nuke 7.6 fully patched and when i post a review, a comment from some one not registered shows up right under my review.
my reviews module has been for registered users only, since i found out this could be done but it's still happening.

I then deleted my review and posted another test review and BAM there it was again, except the posters name was different.
this is what it looks like.


testing review module
Posted by yukibv on 2006-03-07 15:06:37
My Score:
Admin: [ Delete ]
--------------------------------------------------------------------------------

amphetamine tramadol buy cialis
-------------------------------------

the above are links to sites
 
View user's profile Send private message
evaders99
PostPosted: Thu Oct 26, 2006 11:09 am Reply with quote

First make sure you have "Allow Anonymous to Post?" in your Preferences turned off

Next try going to this URL on your Nuke site
modules.php ? name=Reviews&rop=savecomment&xanonpost=1&uname=test&id=1&score=1&comments=blah

If that doesn't give you a "Restricted users" page, then something is wrong


Last edited by evaders99 on Thu Oct 26, 2006 9:23 pm; edited 1 time in total 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©