Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports
Author Message
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Fri Jun 10, 2005 5:18 pm Reply with quote

I have a kind of game set up in my forums called hidden image. There is a button which flashes the words "click me" that randomly appears in different posts. Once it is clicked, the button randomly goes to another post and the user is given 500 points for finding it.

My only problem is when a user now clicks on the button they get banned. The link for the post with the image is here: DONT CLICK IT OR YOU WILL BE BANNED!!
Only registered users can see links on this board! Get registered or login!

The button is at the bottom of the post, next to the profile button.

When the user clicks on the button, they are sent to this location:
Only registered users can see links on this board! Get registered or login!

Which is a legitimate link. The only problem is they are getting banned. Any way to work around this?

Specifics:

PHP-Nuke 7.4 patched 2.9 (the one prior to 3.0)
Sentinel 2.2.1

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Sat Jun 11, 2005 12:30 am Reply with quote

NukeSentinel(tm) checks for the following:
Code:
  // Check for Forum attack

  // Copyright 2004(c) GanjaUK & ChatServ
  if (!stristr($nsnst_const['query_string'],'&file=nickpage') AND stristr($nsnst_const['query_string'],'& user =') AND ($name=="Private_Messages" || $name=="Forums" || $name=="Members_List")) {
    block_ip($blocker_row);
  }


You see there is an attack that uses the word user followed by the = sign in forums which we have protected against.

I suggest you change the link code from user= to something like uid= since it is a number anyway. That would most likely cause you to go thru the mod and find each user= and replace them with uid= as well though.

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Dauthus
PostPosted: Sat Jun 11, 2005 4:55 pm Reply with quote

Couldn't I add something so the query makes an exception if the stirng is called with the "randimage" file?

I hate to try and find and replace all the user to uid in this mod and then try and get the code to work again, if I can just make an exception for the specific file I use.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Jun 11, 2005 6:38 pm Reply with quote

Try changing (not tested)
Code:
stristr($nsnst_const['query_string'],'& user =')
to
Code:
(stristr($nsnst_const['query_string'],'& user =') AND !stristr($nsnst_const['query_string'],'randimage'))
 
View user's profile Send private message
Dauthus
PostPosted: Sat Jun 11, 2005 8:06 pm Reply with quote

Thanks! I'll let you know how it goes.

Edit: It works perfectly. Thanks for the help.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©