Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Jun 26, 2006 3:01 pm Reply with quote

I'm using Sweetphp's TotalCalendar software with my Ravennuke system and Sentinel PL9.

One of my users is getting booted by Sentinel for the following script:

Quote:
Date & Time: 2006-06-26 13:11:19 PDT GMT -0700 Blocked IP: xx.xxx.46.55 User ID: xxxx (xxxx)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Query String: xxxx.org/rn/modules.php?name=Event_Calendar&file=nuke_loader&dir=admin&extra_file=manage_events
Get String: xxxx.org/rn/modules.php?name=Event_Calendar&file=nuke_loader&dir=admin&extra_file=manage_events
Post String: xxxx.org/rn/modules.php?name=Event_Calendar&file=nuke_loader&id=8&action=Save Changes&selectedRepMethod=4&eTitle=MHCC Century&eDesc=<p class=\"MsoNormal\" style=\"MARGIN: 0in 0in 0pt\"><strong><i><span style=\"FONT-SIZE: 18pt; COLOR: purple; FONT-FAMILY: Verdana; mso-bidi-font-family: Verdana\">MHCC CENTURY WEEKEND</span></i></strong><span style=\"FONT-SIZE: 18pt\"><br/></span><font face=\"Verdana\">(More info to come in July and August BikeAbouts)<span style=\"FONT-SIZE: 18pt\"><p></p></span></font></p><p></p><p></p><p class=\"MsoNormal\" style=\"MARGIN: 0in 0in 0pt\"><span style=\"FONT-SIZE: 18pt\"><p><font face=\"Verdana\">&nbsp;</font></p></span></p><p><font face=\"Verdana\">&nbsp;</font></p><p></p><p class=\"MsoNormal\" style=\"MARGIN: 0in 0in 0pt\"><font face=\"Verdana\">September 9 &amp; 10, 2006<br/><place w:st=\"on\"></place><city w:st=\"on\"></city>Saratoga Spa State Park</font></p><p class=\"MsoNormal\" style=\"MARGIN: 0in 0in 0pt\"><font face=\"Verdana\">( Forwarded For: none Client IP: none Remote Address: xx.xxx.46.55 Remote Port: 1265 Request Method: POST


Reading Sentinel it looks to me like he's getting hung up on:

Code:
 foreach($_POST as $secvalue) {

      if((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
      //(eregi("\.\./", $secvalue)) ||
      (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
        block_ip($blocker_row);
      }


Am I reading it right that it would block the string "style"?

TotalCalendar uses the fckeditor and gives the users a nice big area to input the descriptions of events they are planning. I know a lot of them compose the events in Word and try to copy and paste it in. Word gives me heartburn with the way it composes html but that's a different issue. Is this just not going to work if I leave the scripting blocker turned on or should I tell the users they can't copy and paste from Word or am I totally off base on my diagnosis of the problem. Has this issue surfaced with the implementation of fckeditor more generally?
 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Jun 26, 2006 8:22 pm Reply with quote

I haven't seen that issue. Have you tried the Paste from Word button? It removes a lot of the extraneous stuff Word adds.

Could it also be these non-standard tags?
Code:
<place w:st=\"on\"></place>

<city w:st=\"on\"></city>

Try it without that to see if it's blocked.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
fkelly
PostPosted: Mon Jun 26, 2006 8:30 pm Reply with quote

I will try your suggestions, thanks. I need some eregi lessons but it does look to me that the string "style" might be blocked.

One problem is that I have opened up calendar entries to users and I have little control over what they might copy and paste in there or how they do it. I just wind up unbanning them afterwards. Tomorrow I will cook something up in Word and try it a couple of ways.
 
kguske
PostPosted: Mon Jun 26, 2006 8:35 pm Reply with quote

For reference, in which file did you find that code?
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Tue Jun 27, 2006 6:22 am Reply with quote

YEs, you guys are correct. That is exactly what is stopping this. (Its in includes/nukesentinel.php, or are you asking which calendar file?) Personally, I think it is very poor architecture for TotalCalendar to be doing this on the GET string, but that is besides the point.

Unfortunately, removing that check opens you up. You may need to put a check in nukesentinel.php to not do that check if the module name is Event_Calendar.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
fkelly
PostPosted: Tue Jun 27, 2006 6:33 am Reply with quote

LOL, okay I want to understand more as usual Montego. First of all this is in the post string, not the get string. I can understand how you would want to filter out the script tag, you certainly don't want someone embedding a script. But why not a style? If it's a style from a css file wouldn't it have to be loaded on the web site itself and thus not a vulnerability? Or is the worry that they could load a style sheet from an external site? But I don't see how they'd do that (I'm debating myself). If it's an inline style ... well they couldn't put a script inside the style and what other harm could they do?

As we move more to wysiwyg editors aren't we going to be seeing more html, including styles inside what gets "posted" and are we going to have more and more fights with Sentinel? Kguske would know more about the editor issue I'm sure.
 
montego
PostPosted: Tue Jun 27, 2006 7:04 am Reply with quote

Sorry about the GET vs. POST! I didn't read it carefully enough. Embarassed

style is not allowed for user input because it can open up, I believe, to XSS style attacks. BUT, I am sorry to say, you will have to ask the experts on that (Raven and BobMarion). I would have to guess it has something to do with being able to pull in "images" from anywhere, and they may not really be images????

Quote:

As we move more to wysiwyg editors aren't we going to be seeing more html, including styles inside what gets "posted" and are we going to have more and more fights with Sentinel? Kguske would know more about the editor issue I'm sure.


I say the following without alot of "thought": it is definitely going to be a problem! Even if the editor is coded well enough to also check for XSS and other style of exploits, one can still bypass the editor with a direct get/post attack.

What we may have to investigate further, is the actual kses functions to see if they are appropriately validating the style tags, but doubtful, because it would have no idea if an image is really an image.

Don't know how to resolve this except cut off the hands of every hacker in the world and see if that would deter new ones from getting "into the trade"...
 
fkelly
PostPosted: Tue Jun 27, 2006 9:11 am Reply with quote

I've been trying to duplicate the problem all morning and getting nowhere. I don't have event calendar at my test site and I don't want to mess with my production site and sentinel isn't working right on my localhost so that makes it all the more complicated. But I did try submitting news after copying and pasting in from word. Kguske is of course perfectly right that the "paste from word" option cuts out a lot of junk that Word would otherwise include (unnecessary styles etc.).

But I have been unable to get Sentinel to choke on the post strings. It appears to me that the codes are somehow encapsulated and not exposed to the Sentinel filters, the exact mechanism by which I don't understand. I put some echoes into sentinel to show the get and post strings as well as the $secvalue down where it does foreach ($_Post ...)

Here's what shows on my screen after submitting a simple news article with a few bolds and centers in it from word:

Quote:
query string name=Submit_News
get string name=Submit_News
post string subject=this is any story&topic=1&story=

This is bold

This is centered

This is from word

This should be enough
&storyext=&op=Ok!
this is any storysecvalue
1secvalue

This is bold

This is centered

This is from word

This should be enough
secvalue
secvalue
Ok!secvalue


The bolded text shows as bold but the centered isn't centered.

And here's the view source (sorry it's a bit much but such a lot of info in there):

Quote:
query string name=Submit_News<br>get string name=Submit_News<br> post string subject=this is any story&topic=1&story=<p><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This is bold<span style=\"\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></font></strong></p>
<p><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">&nbsp;</span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This is centered </span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">&nbsp;</span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This is from word</span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">&nbsp;</span></font></strong></p>
<p align=\"center\"><strong><u><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This should be enough</span></font></u></strong></p>&storyext=&op=Ok!<br>this is any storysecvalue <br>1secvalue <br><p><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This is bold<span style=\"\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></font></strong></p>

<p><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">&nbsp;</span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This is centered </span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">&nbsp;</span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This is from word</span></font></strong></p>
<p align=\"center\"><strong><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">&nbsp;</span></font></strong></p>
<p align=\"center\"><strong><u><font size=\"2\" face=\"Arial\"><span style=\"font-size: 10pt; font-family: Arial; font-weight: bold;\">This should be enough</span></font></u></strong></p>secvalue <br>secvalue <br>Ok!secvalue


So you can see that there's lots of style codes in there but Sentinel isn't objecting.

In short I'm not sure why that event calendar entry was blocked and it appears that the wysiwyg editor generally gets past Sentinel (or we would have seen a lot of problems earlier than this).
 
montego
PostPosted: Tue Jun 27, 2006 8:34 pm Reply with quote

By any chance were you logged in as admin when you were doing these style checks? Take a closer look at the top of the Scripting attack code in nukesentinel.php. Wink

But, if that isn't it... we've definitely got some analysis to do... Sad
 
fkelly
PostPosted: Wed Jun 28, 2006 7:16 am Reply with quote

Montego: no, I thought of that and was going back and forth between the plain user id. I also looked to make sure that I didn't have my IP address on the don't ban list.

As you know, testing this stuff can be a pain. Having the diagnostics in Sentinel for instance and dumping them to the screen stops the graphics in the login screen from working so you can't easily go back and forth between users without editing in and back out the diagnostics. It's another topic but I've been thinking how nice it would be if we had some kind of global diagnostics switch in Nuke (not just display errors which often doesn't work for me) and built certain variable and SQL "dumps" into the code to be triggered when diagnostics were on. End of digression.
 
kguske
PostPosted: Wed Jun 28, 2006 9:32 am Reply with quote

A good idea to have global diagnostics. Other great open source applications have that capability, and it shouldn't be too hard to implement. I think we should add it to the RN list.
 
montego
PostPosted: Thu Jun 29, 2006 6:37 am Reply with quote

Quote:

Montego: no, I thought of that and was going back and forth between the plain user id. I also looked to make sure that I didn't have my IP address on the don't ban list.


Uuughhh... well, that is disconcerting. I have just PM'd you.

kguske: I agree. Do you mind adding it? thx.
 
kguske
PostPosted: Thu Jun 29, 2006 7:01 am Reply with quote

It's been added to our issues list.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©