Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Mon Jul 17, 2006 7:18 am Reply with quote

Maybe Sentinel could make an exception if the link is exactly of the form:
Only registered users can see links on this board! Get registered or login!

when the user is an admin? I dunno, just throwing things out on the table.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Mon Jul 17, 2006 7:31 am Reply with quote

Thats a VERY good point, I had not even thought about the referer showing the admin page address.
I'll have to check that by linking between two of my sites when I get the time.
 
View user's profile Send private message Send e-mail
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Jul 19, 2006 12:01 am Reply with quote

Here's a quick fix. The one on my actual site is a little different, so this is sorta untested. (I've hacked it to show the same referrals grouped together, with a group count for easier display)

Code:


in admin/modules/referers.php


FIND

index.php?url=$url

REPLACE WITH

index.php?url=$rid



in index.php

FIND

if (isset($url) AND is_admin($admin)) {
   Header("Location: $url");
   die();
}

REPLACE WITH

if (isset($url) AND is_admin($admin)) {
   $url = intval($url);
   $sql = "SELECT url FROM ".$prefix."_referer WHERE rid='$url'";
   $result = $db->sql_query($sql);
   list($url) = $db->sql_fetchrow($result);   
   Header("Location: $url");
   die();
}

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gremmie
PostPosted: Wed Jul 19, 2006 7:46 pm Reply with quote

Evaders, I haven't tried this out, but it sure looks promising. I think in practice you would have to pass another variable to tell index.php which database to use. In other words, you gotta tell it where the link is...in the pending web links table, the referers table, etc. And then index.php would do a switch on the link type and do something similar to what you have above for each type of link.
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Wed Oct 18, 2006 10:34 pm Reply with quote

Gremmie wrote:
I didn't say I was going to remove anything in Sentinel.

In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:
Only registered users can see links on this board! Get registered or login!

When I look in index.php I see this:

Code:


if (isset($url) AND is_admin($admin)) {
   Header("Location: $url");
   die();
}


FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?

Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas.


Open includes/nukesentinel.php and find(about line 288):
Code:
  // Check for XSS attack

  if($op != "hreferer") {


Change the if line to the following:
Code:
 if($op != "hreferer" OR (!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin']))) {


Report back if this takes care of your issue so I'll know if it works for 2.5.03 .

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
BobMarion
PostPosted: Wed Oct 18, 2006 10:39 pm Reply with quote

Gremmie wrote:
I didn't say I was going to remove anything in Sentinel.

In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:
Only registered users can see links on this board! Get registered or login!

When I look in index.php I see this:

Code:


if (isset($url) AND is_admin($admin)) {
   Header("Location: $url");
   die();
}


FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?

Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas.


By the way:
Code:
if (isset($url) AND is_admin($admin)) {

   Header("Location: $url");
   die();
}


in index.php is a cheap way of getting another hit on your site from the admin clicking the links. Sounds just like something mr. burzi would do to bloat his own site hits count Wink It came about in version 7.2 for trivia buffs Smile
 
evaders99
PostPosted: Wed Oct 18, 2006 10:57 pm Reply with quote

No, there was a very good reason. It was a deliberate way not to have the referral passes through your admin page.
 
BobMarion
PostPosted: Wed Oct 18, 2006 11:21 pm Reply with quote

My question is why have it pass thru anything? Know what I mean? Why have it generate a hit when the admin is checking links. Anyway, neither here nor there where NS is concerned. Main thing if the patch prevents a blocked page from appearing to an admin.
 
evaders99
PostPosted: Thu Oct 19, 2006 12:26 am Reply with quote

At least with my fix, it doesn't pass the entire URL into the querystring. Smile

What I'm saying is, if it is a directly link to a 3rd party site, that referral could appear that it is coming from your page
admin.php?op=hreferer

If you're renamed the admin page, you don't want them to know what your admin panel is. 3rd party will only see index.php in their referrals by the hack FB did
 
BobMarion
PostPosted: Thu Oct 19, 2006 9:58 pm Reply with quote

evaders99 wrote:
At least with my fix, it doesn't pass the entire URL into the querystring. Smile

What I'm saying is, if it is a directly link to a 3rd party site, that referral could appear that it is coming from your page
admin.php?op=hreferer

If you're renamed the admin page, you don't want them to know what your admin panel is. 3rd party will only see index.php in their referrals by the hack FB did


I'm not being a pain here but:
As of 7.2 Downloads, Web Links and Stories pass links thru the index.php file as index.php?$url .
As of 7.6 the referers.php admin file passes the url thru the index.php file as index.php?$url .

This is new not a change from passing it thru the admin file. Links where never passed thru anything until the above took place. It does hide the referering url in your case but why not have a file named pass.php with nothing but:
Code:
if (isset($url)) {

   Header("Location: $url");
   die();
}
in it instead of opening you index.php file to possible sql injection? To me this makes a lot more sense then anything else. It wouldn't call mainfile.php, it would generate the sql queries that mainfile does, and it could not do any harm to your site at all. Do you see the point I'm making. Worsest case someone would see a blank page Smile
 
Gremmie
PostPosted: Fri Oct 20, 2006 6:13 pm Reply with quote

BobMarion wrote:

Report back if this takes care of your issue so I'll know if it works for 2.5.03 .


Hi Bob,

I still got blocked when visiting a newly submitted link in the admin area. Thanks.
 
BobMarion
PostPosted: Fri Oct 20, 2006 6:58 pm Reply with quote

I've shortened it a little bit so maybe it will work for you now. Change it to:
Code:
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin'])) {
This works perfectly for me on my test sites (I have 11 versions of nuke to test with Smile)
 
Gremmie
PostPosted: Fri Oct 20, 2006 8:19 pm Reply with quote

That works for me. Thanks!
 
evaders99
PostPosted: Sun Oct 22, 2006 4:22 pm Reply with quote

I agree, it shouldn't be passing the full URL in the first place.

But it should do an is_admin() check to stop anyone from using your site as a redirector.
If anyone could place a pass.php?url=http:// term in there, it could be used by spammers and others
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©