Gallery and sentinel not playing happy

Posted: Sat Feb 10, 2007 1:49 pm

hi guys;

Nuke 7.6
Chatserve patch 3.3
Dis Errors
Gallery 1.1.5 pl1
Sentinel 2.5.01

I've got the two running together, gallery shows as a module and works ok, etc. BUT when a user tries to rename an album (not sure if anything else) it bans the user. Admins cannot rename an album (the directory on the server- although Sentinel doesn't ban them)

I've just spotted there's a Sentinel update available- which I will endeavour to do tomorrow.

I've done searches on hereetc. but you use google for searches (not good in my experience- you can't select which forum to search in, just the whole site)

I'm sure I've had something similar to this in the past... any ideas?

The message from Sentinel is this:

Code:

Blocked IP:   217.208.xx.xxx


User:   <removed by me>


Agent:   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)


Blocked on:   2007-02-09 13:17:18


Notes:   Added by NukeSentinel(tm)


Reason:   Abuse-Filter


 


Query String:   


Get String:   


Post String:   


Forwarded For:   none


Client IP:   none


Remote Address:   217.208.xx.xxx


Remote Port:   1891


Request Method:   GET





Query String: /modules.php?parentName=audioc&return=modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php





Get String: /modules.php?parentName=audioc&return=/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php





Post String: /modules.php

've removed the website URL deliberately.....

User tries to create an album- blocks him

While searching on here, I found something that may have helped:-
[ Only registered users can see links on this board! Get registered or login! ] presumably from the fixes instigated by Chatserv?

Code:

// Check for XSS attack


  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin'])) {


    if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)


     // Added protection for gallery2 module


     //OR stristr($nsnst_const['query_string'], "http://")


     OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery"))


    // END gallery protection


    // OR stristr($nsnst_const['query_string'], "http://") rem by Andy


    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )


    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )


    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


      block_ip($blocker_row);

I know the fix was for Gallery2- I edited to try to work with Gallery1. It didn't work though- it still banned the user....

Any comments/ suggestions welcome!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

We're not ignoring you - we just don't have any answers for you. I don't use Gallery so I don't even have a test bed to try this on. Hopefully there are other users out there that can try this as I know there are many that run NukeSentinel(tm) and Gallery.

Posted: Sun Feb 11, 2007 12:23 pm

Ok- thanks Raven;

I didn't know if it was something that affected other modules in a similar way also. (There were over 10,000 photos on the site, btw)

I've no objection to trying different bits of code- I've got one of the site's regular users who is happy for us to keep trying stuff- and him getting banned/ me unbanning him regularly Very Happy

I would have thought that this was a faorily common module to be used on sites with Sentinel- surely someone must have come across this before though?

Worker Joined: Oct 07, 2003 Posts: 211

The edit you entered won't work with your version or your issue.

The simple reason was the edit in the post you referenced was to "allow" the

Code:

http://

in the string. The

Code:

modules.php?name=gallery

portion was added so only that link would be allowed with the

Code:

http://

to work in sentinel.

Your issue does not have the

Code:

http://

in the string.

I am fairly sure the

Code:

&cmd=

is what is causing the ban. It is part of the XSS code in the includes/nukesentinel.php here:

Code:

  // Check for XSS attack


  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {


    if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))


    OR stristr($nsnst_const['query_string'], "http://")


    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )


    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )


    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


      block_ip($blocker_row);


    }


  }


}

Specifically this line:

Code:

    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )

The sentinel gurus here should be able to code you a safe inclusion of the gallery module to this line.

Posted: Sun Feb 11, 2007 4:56 pm

cheers!

Fingers crossed- I've tried the nukegallery forums as well, trying to cover "bases"- allowing a couple of days between each new post (each forum- icnuding Uk support site)

I really need this (obviously)

I'm trying to avoid cross site posting, where possible.

I understood (maybe wrongly) that the issue may have been with to do with the "http" being in the title- obviously not.

Fingers crossed.....

Cheers for all help and suggestions- it is appreciated!

Posted: Sun Feb 11, 2007 11:49 pm

There are several fixes that have been posted in these Forums. If I recall correctly they involve "patching" sentinel to allow cmd if the module name is Gallery. But I don't recall the details and don't have time tonight to go searching for you; I know the solutions are here though. Post back if you really can't find it and I'll do some looking around during the week.

Posted: Mon Feb 12, 2007 8:58 am

thanks for the response- I've hammered the search function (Raven, if you have a load of 406 errors it was me- I don't think forum search function liked my query string!)

I've even found some of my earlier posts about a similar thing... Gallery and Sentinel....

(this is reading for later)
In case of you lot reading this are having the same issue, the posts I've come up with to check out in more depth are:
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]

I'll reply once I find whihc one gives me a fix....

Posted: Tue Feb 27, 2007 5:30 pm

tried the one that looked closest to what would work with the code I had (editing this post as I didn't see the copy and paste was the wrong one)

anyway, it didn't work.... (the "fix" I tried)

Posted: Tue Feb 27, 2007 5:38 pm

and I've checked out the other links my search brought up (some were my original posts, lol from years ago on an older version of nuke/ gallery/ sentinel)

The one I posted up above looked like it *should* work, but blocked the user that was testing....

got me stumped this.

Some searches show hightligh and cmd in the search string, but when I try to click the links on here, gives me a forbidden type error.....

Posted: Thu Mar 01, 2007 6:55 am

Ok, first, let us verify that this is what you have within includes/nukesentinel.php:

Code:

  // Check for XSS attack


  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {


    if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))


    OR stristr($nsnst_const['query_string'], "http://")


    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )


    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )


    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


      block_ip($blocker_row);


    }


  }

Try changing this line here:

Code:

   OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )

To:

Code:

    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery"))

Now, just keep in mind that I do not use gallery any longer, so we'll have to have you tell us if it works or not.

Posted: Thu Mar 01, 2007 4:21 pm

thanks- but didn't work.

I can supply my full includes/ sentinel.php if it helps?

from the email:

Code:

Date &amp; Time: 2007-03-01 22:08:21 GMT GMT +0000


Blocked IP: 84.68.removed by me


Reason: Abuse-Filter


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 2.0.50727) Query String: /modules.php?parentName=user_photos&return=http://www.audifans.net/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php


Get String: /modules.php?parentName=user_photos&return=http://www.audifans.net/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php


Post String: /modules.php


Forwarded For: none


Client IP: none


Remote Address: 84.68.removed by me


Remote Port: 50639


Request Method: GET

Posted: Thu Mar 01, 2007 6:54 pm

Actually it appears it did work. The string you just posted is different than the string you posted previously. This string does have the "http://" within it.

I think now would be the time to also include the first fix you attempted at the beginning of this post along with the one montego gave you. See how that works.

Posted: Thu Mar 01, 2007 8:19 pm

I had a similar "fix" in when I ran Gallery 1.4x and 1.5x. I just went looking for it and didn't find in /includes/nukesentinel.php but I'm not having problems. The reason I think is that I'm running Gallery 2.1x now. But yes, the fix Montego gave you should work.

I'm guessing Gallery 2.1 does things differently since I have it running on 2 sites with different versions of NS and with no problems. Not that upgrading Gallery is for the faint of heart but it might be a solution at some point down the road for you.

Posted: Thu Mar 01, 2007 9:34 pm

That return=http:// might be doing it too.

Posted: Fri Mar 02, 2007 6:42 am

you guys are GOOD! Yes, I just saw too that the posted link is different. http: will definitely trip it.

Posted: Fri Mar 02, 2007 1:38 pm

I tried that- Sentinel still kicked in.

Code:

Date &amp; Time: 2007-03-02 19:32:26 GMT GMT +0000


Blocked IP: 84.68.removed by me


User ID: removed by me


Reason: Abuse-Filter


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 2.0.50727) Query String: [ Only registered users can see links on this board! Get registered or login! ]


Get String: [ Only registered users can see links on this board! Get registered or login! ]


Post String: [ Only registered users can see links on this board! Get registered or login! ]


Forwarded For: none


Client IP: none


Remote Address: 84.68.removed by me


Remote Port: 50327


Request Method: GET

My bit is now: (just in case I mis understood the instructions)

Code:




// Check for XSS attack


  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {


    if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))


    //OR stristr($nsnst_const['query_string'], "http://")   


OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery"))


    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery"))


    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )


    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


      block_ip($blocker_row);


    }


  }

Cheers for the help so far guys, much appreciated.

Posted: Fri Mar 09, 2007 3:33 pm

any other ideas?

Cheers!

Andy

Posted: Fri Mar 09, 2007 3:52 pm

Try changing this part:

Code:




!stristr($nsnst_const['query_string'], "modules.php?name=gallery")

To this:

Code:




!stristr($nsnst_const['query_string'], "name=gallery")

For some reason your links aren't getting generated as modules.php?name=gallery...it is putting other stuff first.

Posted: Fri Mar 09, 2007 5:26 pm

you STAR! MANY MANY THANKS!
I've already donatec this month (doesn't show on donations) and I'll donate AGAIN

MANY MANY THANKS

YOU GUYS ROCK

Wink

Posted: Sat Mar 10, 2007 8:00 am

tell all yours friends... Laughing

Posted: Sat Mar 10, 2007 9:29 am

already have Wink

Posted: Thu Oct 11, 2007 12:41 pm

**UPDATE FOR SENTINEL VERSION 2.5.13**

I've updated my Sentinel version to that above; some of the variables/ code has changed. I'll put my changes below so that other users can see/ use the changes (I know a few of us use this thread when we need to look back)
in includes/nukesentinel.php look at around line 290 for the xss attack script.
Change this:

Code:

// Check for XSS attack


  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {


    if( (isset($name) AND (eregi("http\:\/\/", $name) OR eregi("https\:\/\/", $name)))


    OR (isset($file) AND (eregi("http\:\/\/", $file) OR eregi("https\:\/\/", $file)))


    OR (isset($libpath) AND (eregi("http\:\/\/", $libpath) OR eregi("https\:\/\/", $libpath)))


    OR stristr($nsnst_const['query_string'], "http://") OR stristr($nsnst_const['query_string'], "https://")


    OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )


    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )


    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


      block_ip($blocker_row);


    }


  }


}

for this:

Code:

// Check for XSS attack


  if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {


    if( (isset($name) AND (eregi("http\:\/\/", $name) OR eregi("https\:\/\/", $name)))


    OR (isset($file) AND (eregi("http\:\/\/", $file) OR eregi("https\:\/\/", $file)))


    OR (isset($libpath) AND (eregi("http\:\/\/", $libpath) OR eregi("https\:\/\/", $libpath)))





    // Gallery hack


//original line below


// OR stristr($nsnst_const['query_string'], "http://") OR stristr($nsnst_const['query_string'], "https://")


//replacement code


OR  stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "name=gallery") OR stristr($nsnst_const['query_string'], "https://")





//original line below


    // OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )


//replacement code


OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery") )


//end of gallery hack





    OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )


    OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {


      block_ip($blocker_row);


    }


  }


}

I'm using a patched 7.6 nuke (over 3.3 or so), and we've tested it ok. If Raven/ other clever bod can check I've not borked the code up Very Happy

I take no responsibility for you using this code- but I hope it helps! Wink

Thanks for the system guys- script kiddies have been mental lately- the upgrade was necessary because of the IP2Country range, among others...

Posted: Wed Feb 13, 2008 1:57 pm

helped me, thanks!

and yes, the nuke sites I manage have been getting hammered by Filter attacks lately too.