question about changing some code

Involved Joined: Apr 22, 2006 Posts: 356

Ok, on a site running rn2.02.02 with sentinel 2.5.07. I have a subscription module that takes a payment and runs it through paypal. There was an issue with the subscribers automatically being added to the database after payment.
The fix is to remove these lines of code in includes/sentinel.php

Code:

/ Invalid user agent


if($nsnst_const['user_agent']=="none" AND !stristr($_SERVER['PHP_SELF'], "backend.php") AND ($nsnst_const['remote_ip'] != $nsnst_const['server_ip'])) {


  echo abget_template("abuse_invalid2.tpl");


  die();


}

Is this safe to do?

Posted: Fri Mar 30, 2007 3:52 pm

I'm wondering if you could limit this exception to when the subscription module is running. Often the variable $name has the name of the module, you might try echoing that out and see if it's in there and then include the test in an if ... like if($name != "my subscription module name"). I suppose a hacker could fake that but it would be more work.

There are others here who are more expert than I in this but that's an initial suggestion.

Site Admin Joined: Jun 04, 2004 Posts: 6432

The invalid user agent can be configured so it doesn't trigger an error. This doesn't really block attack, but the possibility of attacks caused by a visitor with an invalid user agent. Most attacks seems to spoof the user agent away, so I'm not sure how effective this is anyway.

Another option is to modify the if statement to include whichever file name the IPN payment is returning to (see the backend.php logic).