Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports
Author Message
bretonmage
Hangin' Around


Joined: Mar 30, 2004
Posts: 34

PostPosted: Tue Jul 20, 2004 4:01 pm Reply with quote

Whenever trying to access the "commands" section of Autothemes, Sentinel throws an email at me and I get redirected. Just thought I'd let you know.

The URL is: admin.php?module=AutoTheme&op=cmdedit
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Tue Jul 20, 2004 4:24 pm Reply with quote

Hate to ask but is that the only url with cmd in it?

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
sixonetonoffun
PostPosted: Tue Jul 20, 2004 4:36 pm Reply with quote

Anyway I briefly tested this exclusion it seemed to work.
Under // Check for XSS attack replace the existing if statement with this only if your using autotheme.
Code:


if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring) AND !eregi("cmdedit",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {
 
bretonmage
PostPosted: Tue Jul 20, 2004 5:50 pm Reply with quote

My site will still be as safe as it was?
 
sixonetonoffun
PostPosted: Wed Jul 21, 2004 1:40 pm Reply with quote

Honestly I'm not sure thats why I said to only use if on autotheme. But yeah it will still catch cmd or cmd= ect...
 
bretonmage
PostPosted: Sun Aug 08, 2004 7:50 am Reply with quote

With the new version of Sentinel this fix no longer works, because that section of code seems to no longer exist in sentinel.php. Neutral

Anyone got another solution?
 
sixonetonoffun
PostPosted: Sun Aug 08, 2004 8:37 am Reply with quote

Its still there about line 213 under // Check for XSS attack
 
bretonmage
PostPosted: Sun Aug 08, 2004 2:25 pm Reply with quote

Well I'm stupid. Shocked

-_-'

Sorry.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©