Sentinel filter error? (Abuse script)

New Member Joined: Jun 08, 2008 Posts: 2

I am very glad with Nuke Sentinel. It has kept off a lot of evil users from my site. I however discovered a possible error.

When a $_POST variable contains the following string, a user is blocked:

Quote:

The user is told that he tried to do a 'Script attack'

I think this is not correct. I reviewed the filter and discovered that the following condition triggers the abuse script filter.

Quote:

(eregi("<[^>]*meta*\"?[^>]*", $secvalue))

In this condition, there are two problems:
1) The part meta* causes us to look for 'met' followed by 0 or more 'a'. But this is not the intention. I expect we want to look for 'meta' followed by 0 or more characters. This can be easily fixed by replacing 'meta*' by 'meta.*'.
2) The expression is also triggered when the word 'meta' appears within the href attribute of the <a href="XXXX"> clause. But a <a href="XXXX"> expression is very common and should not be a problem. I do not know how to fix that.

Does anybody have a suggestion?

Posted: Tue Jun 10, 2008 5:28 am

I have tested this using RegexBuddy and can definitely see your point. I do think that these may need to be revisited. I do agree with your "fix" in 1). I think that is an issue with each of these. Unfortunately, 2) is far more complex, needs a strong regex person to address, and would require extensive testing. Just saying that the longer-term "fix" will take time.

Thank you for bringing this to our attention.

Posted: Wed Jun 11, 2008 4:27 pm

Thank you for your help! Without nuke sentinel, my life would be much more difficult.

I made a temporary fix. In order to prevent abuse in case of an error, I sent it to 'montego' by PM.

Posted: Thu Jun 12, 2008 6:02 am

I have forwarded this thread to the author of NS as well. A change like this is not to be taken lightly given what it is intended to stop in terms of XSS injection.