Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
AndyB
Worker
Worker


Joined: Jun 03, 2004
Posts: 231
Location: Torrevieja, Spain

PostPosted: Sat Feb 10, 2007 1:49 pm Reply with quote

hi guys;

Nuke 7.6
Chatserve patch 3.3
Dis Errors
Gallery 1.1.5 pl1
Sentinel 2.5.01

I've got the two running together, gallery shows as a module and works ok, etc. BUT when a user tries to rename an album (not sure if anything else) it bans the user. Admins cannot rename an album (the directory on the server- although Sentinel doesn't ban them)

I've just spotted there's a Sentinel update available- which I will endeavour to do tomorrow.

I've done searches on hereetc. but you use google for searches (not good in my experience- you can't select which forum to search in, just the whole site)

I'm sure I've had something similar to this in the past... any ideas?

The message from Sentinel is this:
Code:
Blocked IP:   217.208.xx.xxx

User:   <removed by me>
Agent:   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Blocked on:   2007-02-09 13:17:18
Notes:   Added by NukeSentinel(tm)
Reason:   Abuse-Filter
 
Query String:   
Get String:   
Post String:   
Forwarded For:   none
Client IP:   none
Remote Address:   217.208.xx.xxx
Remote Port:   1891
Request Method:   GET

Query String: /modules.php?parentName=audioc&return=modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php

Get String: /modules.php?parentName=audioc&return=/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php

Post String: /modules.php

've removed the website URL deliberately.....

User tries to create an album- blocks him

While searching on here, I found something that may have helped:-
Only registered users can see links on this board! Get registered or login! presumably from the fixes instigated by Chatserv?


Code:
// Check for XSS attack

  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin'])) {
    if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
     // Added protection for gallery2 module
     //OR stristr($nsnst_const['query_string'], "http://")
     OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery"))
    // END gallery protection
    // OR stristr($nsnst_const['query_string'], "http://") rem by Andy
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
      block_ip($blocker_row);

I know the fix was for Gallery2- I edited to try to work with Gallery1. It didn't work though- it still banned the user....

Any comments/ suggestions welcome!
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sun Feb 11, 2007 10:20 am Reply with quote

We're not ignoring you - we just don't have any answers for you. I don't use Gallery so I don't even have a test bed to try this on. Hopefully there are other users out there that can try this as I know there are many that run NukeSentinel(tm) and Gallery.
 
View user's profile Send private message
AndyB
PostPosted: Sun Feb 11, 2007 12:23 pm Reply with quote

Ok- thanks Raven;

I didn't know if it was something that affected other modules in a similar way also. (There were over 10,000 photos on the site, btw)

I've no objection to trying different bits of code- I've got one of the site's regular users who is happy for us to keep trying stuff- and him getting banned/ me unbanning him regularly Very Happy

I would have thought that this was a faorily common module to be used on sites with Sentinel- surely someone must have come across this before though?
 
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Sun Feb 11, 2007 4:44 pm Reply with quote

The edit you entered won't work with your version or your issue.

The simple reason was the edit in the post you referenced was to "allow" the

Code:
http://


in the string. The

Code:
modules.php?name=gallery


portion was added so only that link would be allowed with the

Code:
http://


to work in sentinel.

Your issue does not have the

Code:
http://


in the string.

I am fairly sure the

Code:
&cmd=


is what is causing the ban. It is part of the XSS code in the includes/nukesentinel.php here:

Code:
  // Check for XSS attack

  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
    if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))
    OR stristr($nsnst_const['query_string'], "http://")
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
      block_ip($blocker_row);
    }
  }
}


Specifically this line:

Code:
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )


The sentinel gurus here should be able to code you a safe inclusion of the gallery module to this line.

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
AndyB
PostPosted: Sun Feb 11, 2007 4:56 pm Reply with quote

cheers!

Fingers crossed- I've tried the nukegallery forums as well, trying to cover "bases"- allowing a couple of days between each new post (each forum- icnuding Uk support site)

I really need this (obviously)

I'm trying to avoid cross site posting, where possible.

I understood (maybe wrongly) that the issue may have been with to do with the "http" being in the title- obviously not.

Fingers crossed.....

Cheers for all help and suggestions- it is appreciated!
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sun Feb 11, 2007 11:49 pm Reply with quote

There are several fixes that have been posted in these Forums. If I recall correctly they involve "patching" sentinel to allow cmd if the module name is Gallery. But I don't recall the details and don't have time tonight to go searching for you; I know the solutions are here though. Post back if you really can't find it and I'll do some looking around during the week.
 
View user's profile Send private message Visit poster's website
AndyB
PostPosted: Mon Feb 12, 2007 8:58 am Reply with quote

thanks for the response- I've hammered the search function (Raven, if you have a load of 406 errors it was me- I don't think forum search function liked my query string!)

I've even found some of my earlier posts about a similar thing... Gallery and Sentinel....

(this is reading for later)
In case of you lot reading this are having the same issue, the posts I've come up with to check out in more depth are:
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!

I'll reply once I find whihc one gives me a fix....
 
AndyB
PostPosted: Tue Feb 27, 2007 5:30 pm Reply with quote

tried the one that looked closest to what would work with the code I had (editing this post as I didn't see the copy and paste was the wrong one)

anyway, it didn't work.... (the "fix" I tried)


Last edited by AndyB on Wed Feb 28, 2007 6:12 am; edited 1 time in total 
AndyB
PostPosted: Tue Feb 27, 2007 5:38 pm Reply with quote

and I've checked out the other links my search brought up (some were my original posts, lol from years ago on an older version of nuke/ gallery/ sentinel)

The one I posted up above looked like it *should* work, but blocked the user that was testing....

got me stumped this.

Some searches show hightligh and cmd in the search string, but when I try to click the links on here, gives me a forbidden type error.....
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Thu Mar 01, 2007 6:55 am Reply with quote

Ok, first, let us verify that this is what you have within includes/nukesentinel.php:

Code:
  // Check for XSS attack

  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
    if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))
    OR stristr($nsnst_const['query_string'], "http://")
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
      block_ip($blocker_row);
    }
  }


Try changing this line here:

Code:
   OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )

To:

Code:
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery"))


Now, just keep in mind that I do not use gallery any longer, so we'll have to have you tell us if it works or not.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
AndyB
PostPosted: Thu Mar 01, 2007 4:21 pm Reply with quote

thanks- but didn't work.

I can supply my full includes/ sentinel.php if it helps?

from the email:

Code:
Date &amp; Time: 2007-03-01 22:08:21 GMT GMT +0000

Blocked IP: 84.68.removed by me
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 2.0.50727) Query String: /modules.php?parentName=user_photos&return=http://www.audifans.net/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Get String: /modules.php?parentName=user_photos&return=http://www.audifans.net/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Post String: /modules.php
Forwarded For: none
Client IP: none
Remote Address: 84.68.removed by me
Remote Port: 50639
Request Method: GET
 
Dauthus
PostPosted: Thu Mar 01, 2007 6:54 pm Reply with quote

Actually it appears it did work. The string you just posted is different than the string you posted previously. This string does have the "http://" within it.

I think now would be the time to also include the first fix you attempted at the beginning of this post along with the one montego gave you. See how that works.
 
fkelly
PostPosted: Thu Mar 01, 2007 8:19 pm Reply with quote

I had a similar "fix" in when I ran Gallery 1.4x and 1.5x. I just went looking for it and didn't find in /includes/nukesentinel.php but I'm not having problems. The reason I think is that I'm running Gallery 2.1x now. But yes, the fix Montego gave you should work.

I'm guessing Gallery 2.1 does things differently since I have it running on 2 sites with different versions of NS and with no problems. Not that upgrading Gallery is for the faint of heart but it might be a solution at some point down the road for you.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Mar 01, 2007 9:34 pm Reply with quote

That return=http:// might be doing it too.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
montego
PostPosted: Fri Mar 02, 2007 6:42 am Reply with quote

you guys are GOOD! Yes, I just saw too that the posted link is different. http: will definitely trip it.
 
AndyB
PostPosted: Fri Mar 02, 2007 1:38 pm Reply with quote

I tried that- Sentinel still kicked in.

Code:
Date &amp; Time: 2007-03-02 19:32:26 GMT GMT +0000

Blocked IP: 84.68.removed by me
User ID: removed by me
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 2.0.50727) Query String: Only registered users can see links on this board! Get registered or login!
Get String: Only registered users can see links on this board! Get registered or login!
Post String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 84.68.removed by me
Remote Port: 50327
Request Method: GET



My bit is now: (just in case I mis understood the instructions)
Code:


// Check for XSS attack
  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
    if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))
    //OR stristr($nsnst_const['query_string'], "http://")   
OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery"))
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery"))
    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
      block_ip($blocker_row);
    }
  }


Cheers for the help so far guys, much appreciated.
 
AndyB
PostPosted: Fri Mar 09, 2007 3:33 pm Reply with quote

any other ideas?

Cheers!

Andy
 
Gremmie
PostPosted: Fri Mar 09, 2007 3:52 pm Reply with quote

Try changing this part:

Code:


!stristr($nsnst_const['query_string'], "modules.php?name=gallery")


To this:
Code:


!stristr($nsnst_const['query_string'], "name=gallery")


For some reason your links aren't getting generated as modules.php?name=gallery...it is putting other stuff first.
 
AndyB
PostPosted: Fri Mar 09, 2007 5:26 pm Reply with quote

you STAR! MANY MANY THANKS!
I've already donatec this month (doesn't show on donations) and I'll donate AGAIN

MANY MANY THANKS

YOU GUYS ROCK


Wink
 
montego
PostPosted: Sat Mar 10, 2007 8:00 am Reply with quote

RavensScripts

tell all yours friends... Laughing
 
AndyB
PostPosted: Sat Mar 10, 2007 9:29 am Reply with quote

already have Wink
 
AndyB
PostPosted: Thu Oct 11, 2007 12:41 pm Reply with quote

**UPDATE FOR SENTINEL VERSION 2.5.13**

I've updated my Sentinel version to that above; some of the variables/ code has changed. I'll put my changes below so that other users can see/ use the changes (I know a few of us use this thread when we need to look back)
in includes/nukesentinel.php look at around line 290 for the xss attack script.
Change this:
Code:
// Check for XSS attack

  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
    if( (isset($name) AND (eregi("http\:\/\/", $name) OR eregi("https\:\/\/", $name)))
    OR (isset($file) AND (eregi("http\:\/\/", $file) OR eregi("https\:\/\/", $file)))
    OR (isset($libpath) AND (eregi("http\:\/\/", $libpath) OR eregi("https\:\/\/", $libpath)))
    OR stristr($nsnst_const['query_string'], "http://") OR stristr($nsnst_const['query_string'], "https://")
    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
      block_ip($blocker_row);
    }
  }
}

for this:
Code:
// Check for XSS attack

  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
    if( (isset($name) AND (eregi("http\:\/\/", $name) OR eregi("https\:\/\/", $name)))
    OR (isset($file) AND (eregi("http\:\/\/", $file) OR eregi("https\:\/\/", $file)))
    OR (isset($libpath) AND (eregi("http\:\/\/", $libpath) OR eregi("https\:\/\/", $libpath)))

    // Gallery hack
//original line below
// OR stristr($nsnst_const['query_string'], "http://") OR stristr($nsnst_const['query_string'], "https://")
//replacement code
OR  stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "name=gallery") OR stristr($nsnst_const['query_string'], "https://")

//original line below
    // OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
//replacement code
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery") )
//end of gallery hack

    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
      block_ip($blocker_row);
    }
  }
}


I'm using a patched 7.6 nuke (over 3.3 or so), and we've tested it ok. If Raven/ other clever bod can check I've not borked the code up Very Happy

I take no responsibility for you using this code- but I hope it helps! Wink

Thanks for the system guys- script kiddies have been mental lately- the upgrade was necessary because of the IP2Country range, among others...
 
myrtletrees
Involved
Involved


Joined: Sep 13, 2005
Posts: 259
Location: Cornfields of Indiana

PostPosted: Wed Feb 13, 2008 1:57 pm Reply with quote

helped me, thanks!

and yes, the nuke sites I manage have been getting hammered by Filter attacks lately too.
 
View user's profile Send private message
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©