Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Gallery 2 string triggers Sentinel's Filter Abuse
 View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x
Author Message
Dauthus
Worker
Worker



Joined: Oct 07, 2003
Posts: 211
PostPosted: Tue Aug 01, 2006 9:31 am Reply with quote
Here's the report from Sentinel:

Code:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Query String: [ Only registered users can see links on this board! Get registered or login! ]


Get String: [ Only registered users can see links on this board! Get registered or login! ]


Post String: [ Only registered users can see links on this board! Get registered or login! ] Forwarded For: none Client IP: none Remote Address: 72.64.111.144 Remote Port: 60995 Request Method: GET


It appears this is a valid string within the Gallery 2 module. Anyone have a suggestion for a way to bypass the Filter for the Gallery 2 module?

_________________
Image
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
PostPosted: Tue Aug 01, 2006 8:11 pm Reply with quote
This an issue with the http being referenced in the link. It was actually introduced in one of the later 2.4.2 pl patches to stop the flood of hacks going on with the phpbb forums.

I cannot post the exact line for obvious reasons, but look in includes/nukesentinel.php for this line here:

// Check for XSS attack

The next line below that is the IF statement following by another line right after that is very generic to catching http. Comment out that line.

However, I must warn you that it is a risk. I know there is a thread on this somewhere, but am not where I can very easily look for it. It may be in the 2.4.2 forum.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
Dauthus
PostPosted: Tue Aug 01, 2006 10:27 pm Reply with quote
Nuts. I thought this may have been a new one. I thought it was already fixed from this post:
[ Only registered users can see links on this board! Get registered or login! ]

This is a new query that is causing it. This is using the gallery search, not the upload feature. Would it still be the XSS causing this? I applied the fix mentioned in the post, and it fixed the issue with the upload feature.

I just didn't know which part of the code was causing the problem, if the http bypass works on one string and not another.
 
montego
PostPosted: Wed Aug 02, 2006 5:32 am Reply with quote
Ok, this is definitely odd. I re-read your other posts (sorry, did not recall that the last thread was from you...). What was your final XSS filter code that you came up with? Would you please post it here (I see now that is doesn't trip NS).
 
Dauthus
PostPosted: Wed Aug 02, 2006 6:14 pm Reply with quote
Code:
// Check for XSS attack 


  if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath) 


  // Added protection for gallery2 module 


  //OR stristr($nsnst_const['query_string'], "http://") 


  OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2")) 


  // END gallery2 protection 


  OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") ) 


  OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") ) 


  OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) { 


    block_ip($blocker_row); 


  } 


}


The only other change was adding an exception for MS_Topsites as members trying to report a cheat were being banned also. Both of them do not cause a ban now. It's just this new string in the gallery2 module that is being banned.

UPDATE: I have found clicking on "Advanced Search" in the gallery2 module causes a ban similar to this. Still haven't figured out why.

AFTER THOUGHT: Would it be possible to engineer a database driven string protection (reverse of string blocker) addon in the admin panel. This way a user could copy and paste the valid string and add it to the database as a protected string. This way it would be site specific, and no one on the outside would know any different.
 
montego
PostPosted: Thu Aug 03, 2006 6:13 am Reply with quote
Try this first: Modify your changed line to only look for the string "gallery2".

If that doesn't work, comment out the line altogether.

I am really struggling to see which one of these conditions are tripping this.

Regarding your "AFTER THOUGHT" comment, it sounds like a great idea. I would suggest posting this in the NukeSentinel Enhancement Requests forum.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©