Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Fri Aug 13, 2004 11:27 pm Reply with quote

Apparently a member of my site set off NukeSentinel™'s Script Blocker. Was it an innocent deed caused by a bug in either Site Messenger or in NukeSentinel or was he pasting some illicit code into the input of Messenger? You, the jury, decide and I the judge will be guided by your wisdom haha
Code:


Date & Time: 2004-08-13 14:43:06
Blocked IP: 81.244.8.*
User ID: B--- (5)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: southernwolf.net/modules.php?subject=Re%3A+Hi&msg_text=No%2C+I+dumped+her+because+a+friend+of+her+told+me+she+wanted+to+dump+me+after+the+exams.+So%2C+I+said+%22the+sooner+I%27m+of+that+lying+biatch%2C+the+better%22.+I+will+for+sure.+I+think+I+know+someone%2C+he%27s+a+little+bit+weird%2C+but+I+think+he%27ll+like+this+very+much.&name=Site_Messenger&file=buddy&to_userid=3&op=send&to=graywolf&x=68&y=13
Forwarded For: none
Client IP: none
Remote Address: 81.244.8.*
Remote Port: 1353
Request Method: GET
--------------------
Who-Is for IP
81.244.8.112 
         
           


OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    Singel 258
Address:    1016 AB
City:       Amsterdam
StateProv:
PostalCode:
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   81.0.0.0 - 81.255.255.255
CIDR:       81.0.0.0/8
NetName:    81-RIPE
NetHandle:  NET-81-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:
Updated:    2004-03-16
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Fri Aug 13, 2004 11:43 pm Reply with quote

Sorry, but I don't see where this user actually did anything wrong. Am I missing something here?
 
View user's profile Send private message Visit poster's website
southern
PostPosted: Fri Aug 13, 2004 11:56 pm Reply with quote

So why'd I get this? Is it a bug in Sentinel™? Or what? Maybe it was the word bitch that set it off? Who knows. Don't mind the judge and jury talk, I'm quite lenient. Really. Smile
 
Dauthus
PostPosted: Sat Aug 14, 2004 2:03 am Reply with quote

One thing I have noticed is I always get an email indicating my username was banned every time I send a private message to anyone. (I'm the admin, so my username is protected) I guess this could be some type of bug, but I don't know much about these systems. You could try and report this in the bug section and see what they say.
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Aug 14, 2004 3:11 am Reply with quote

The filter "script" and "filter" are going to be more prone to false positives with third party applications then most of the other blockers. I believe southern didn't you have some with SiteMessenger before? Not sure it was you but I do recall someone posting about that.

Dauthus strange can't say I've seen that before except when someone had a theme that was missing a quote so a style= string was triggering a blocker. But we use the forum private messeges all the time here without any false positives.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Aug 14, 2004 8:31 am Reply with quote

No false positive. Here is the url decoded text:
Quote:
Re: Hi&msg_text=No, I dumped her because a friend of her told me she wanted to dump me after the exams. So, I said "the sooner I'm of that lying biatch, the better". I will for sure. I think I know someone, he's a little bit weird, but I think he'll like this very much.&name=Site_Messenger&file=buddy&to_userid=3&op=send&to=graywolf&x=68&y=13

Nuke would also have banned this. It's not a Sentinel unique issue. The "" and ' marks are the problem. You can turn the filters off and design your own strings but you are opening yourself up to hack attempts. Personally, I would not use an application that sends freeform text like that with either a GET or a POST header.
 
View user's profile Send private message
Dauthus
PostPosted: Sat Aug 14, 2004 11:39 am Reply with quote

Quote:
Dauthus strange can't say I've seen that before except when someone had a theme that was missing a quote so a style= string was triggering a blocker. But we use the forum private messeges all the time here without any false positives.


Here's what I am getting: I am going to try the change the theme and see if it is still happening. I will let you know.

Code:
Date & Time: 2004-08-14 00:36:52

Blocked IP: 66.82.xxx.xxx
User ID: Dauthus (2)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts) Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 66.82.xxx.xxx
Remote Port: 3693
Request Method: GET
--------------------
 
southern
PostPosted: Sat Aug 14, 2004 12:18 pm Reply with quote

Raven wrote:
No false positive. Here is the url decoded text:
Quote:
Re: Hi&msg_text=No, I dumped her because a friend of her told me she wanted to dump me after the exams. So, I said "the sooner I'm of that lying biatch, the better". I will for sure. I think I know someone, he's a little bit weird, but I think he'll like this very much.&name=Site_Messenger&file=buddy&to_userid=3&op=send&to=graywolf&x=68&y=13

Nuke would also have banned this. It's not a Sentinel unique issue. The "" and ' marks are the problem. You can turn the filters off and design your own strings but you are opening yourself up to hack attempts. Personally, I would not use an application that sends freeform text like that with either a GET or a POST header.


So Sentinel™- and nuke- did what it's supposed to. Blocked a script. This member and me were chit chatting on Site Messenger for about five or ten minutes with no problem when bing he dropped off the site. I have the Messenger thing set for registered users only. Well, I'll be gracious and unban him this once. Good test of Sentinel™ and I'm sure 2.0.1 is even better. Smile

sixone, yes I had a prob with Site Messenger a few months ago when I was getting an 'I don't like you' message from it, and I took it off then, but this is a later version from flashnukers and I haven't seen that odd message yet.
 
sixonetonoffun
PostPosted: Sat Aug 14, 2004 7:14 pm Reply with quote

Sounds like a pretty cool addon Southern I just don't get time to try them all Confused

Dauthus it looks like it may be just what I was refering to before. The \" on the end of the string being reported is likely a code error in the theme tpl for the PM's.
 
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Mon Oct 11, 2004 6:51 am Reply with quote

I too have a problem with Sentinel 2.02 and Site Messenger 1.3.
Sentinel already banned 3 users using while using the Site Messenger. So I had to drop the Script blocker! Sad

No other solution?
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Mon Oct 11, 2004 8:45 am Reply with quote

Get rid of that \" - That's how scripts pass injection logic.
 
ring_c
PostPosted: Mon Oct 11, 2004 8:48 am Reply with quote

Raven wrote:
Get rid of that \" - That's how scripts pass injection logic.

HOW?!?!
 
southern
PostPosted: Mon Oct 11, 2004 7:18 pm Reply with quote

I'd like to know, too. Actually Site Messenger ain't a bad thing, if it weren't for the fact it seems to set off Sentinel™...
 
sixonetonoffun
PostPosted: Mon Oct 11, 2004 8:28 pm Reply with quote

Its fun to use. But it has some fairly serious issues. I looked at it again this morning. It would be nice if the site that maintains it would simply come out with an updated version.

Its cool because its almost as real time as a messenger but you don't have to give out your regular messenger handle which is cool. If your using it check out the Subject line I don't think it would take much to slip a nifty java redirect into it. Its dangerous because in part it lives outside of both nuke and phpbb but has full access to the services they do.
 
southern
PostPosted: Mon Oct 11, 2004 8:38 pm Reply with quote

Well, that's why I took off SM, those 'issues' you and Raven have pointed out.
SM has potential as not only an in-site messenger but a cross-site messenger, but until it has better security it's a no go on my site. BTW love your sig, got one for us animals who eat tasty people? haha
 
blith
Client


Joined: Jul 18, 2003
Posts: 977

PostPosted: Tue Oct 12, 2004 7:31 am Reply with quote

ring_c wrote:
Raven wrote:
Get rid of that \" - That's how scripts pass injection logic.

HOW?!?!

I would like to know this to. I was getting the same thing and posted about it here Only registered users can see links on this board! Get registered or login!
I do not use Site Messenger.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©