Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Tue Aug 29, 2006 6:06 pm Reply with quote

I just noticed the following in my 7.9 w/ 3.2 patched mainfile.php

Code:


$postString = "";
foreach ($_POST as $postkey => $postvalue) {
    if ($postString > "") {
     $postString .= "&".$postkey."=".$postvalue;
    } else {
     $postString .= $postkey."=".$postvalue;
    }
}
str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if ((!is_admin($admin)) AND (stristr($postString,'%20union%20')) OR (stristr($postString,'*/union/*')) OR (stristr($postString,' union ')) OR (stristr($postString_64,'%20union%20')) OR (stristr($postString_64,'*/union/*')) OR (stristr($postString_64,' union ')) OR (stristr($postString_64,'+union+')) OR (stristr($postString,'http-equiv')) OR (stristr($postString_64,'http-equiv')) OR (stristr($postString,'alert')) OR (stristr($postString_64,'alert'))) {
header("Location: index.php");
die();
}


This code is very similiar to the code that the edits for core files in NukeSentinel says to comment out in the latest 2.5.2 update. Should I comment it out? Is NS already watching for this type of stuff?

I had a heck of a time posting a news story that contained the word 'alert'. I tracked it down to this code. Confused

Thanks.
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9455
Location: Arizona

PostPosted: Tue Aug 29, 2006 6:59 pm Reply with quote

You could also try "wrapping" it like this:

Code:


if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {
   $postString = '';
   foreach ($_POST as $postkey => $postvalue) {
      if ($postString > '') {
         $postString .= '&'.$postkey.'='.$postvalue;
      } else {
         $postString .= $postkey.'='.$postvalue;
      }
   }
   str_replace("%09", "%20", $postString);
   $postString_64 = base64_decode($postString);
   if ((!isset($admin) OR (isset($admin) AND !is_admin($admin))) AND (stristr($postString,'%20union%20') OR stristr($postString,'*/union/*') OR     stristr($postString,' union ') OR stristr($postString_64,'%20union%20') OR stristr($postString_64,'*/union/*') OR stristr($postString_64,' union ') OR stristr($postString_64,'+union+') OR stristr($postString,'http-equiv') OR stristr($postString_64,'http-equiv') OR stristr($postString,'alert(') OR stristr($postString_64,'alert(') OR stristr($postString,'javascript:') OR stristr($postString_64,'javascript:') OR stristr($postString,'bad_tag') OR stristr($postString_64,'bad_tag') OR stristr($postString,'onmouseover=') OR stristr($postString_64,'onmouseover=') OR stristr($postString,'document.location') OR stristr($postString_64,'document.location'))) {
      header('Location: index.php');
      die();
   }
}

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gremmie
PostPosted: Tue Aug 29, 2006 7:05 pm Reply with quote

Yeah, in the recent core edits, the instructions showed commenting out code like this, even though it already had an if (!file_exists('includes/nukesentinel.php')) around it.

I found all the places in the instructions in my mainfile, but then I noticed I had an additional chunk of code (above) that looked very similiar, but no mention of it in the instructions. Just curious. I'm assuming NS does look for union attacks, but does it handle javascript alerts (and the others)?

Are javascript alerts dangerous?
 
montego
PostPosted: Tue Aug 29, 2006 7:20 pm Reply with quote

Quote:

Are javascript alerts dangerous

It can be a form of XSS attack. Essentially, one could inject some javascript code that could echo out your admin cookie (for example) in an alert box.

So, yes, it can be dangerous.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Aug 30, 2006 11:39 am Reply with quote

I recommend changing "alert" to "alert(" - that should keep the protection and not block valid word usage

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gremmie
PostPosted: Wed Aug 30, 2006 12:36 pm Reply with quote

Thanks.

But what about "alert (" ?

Maybe have to use a regular expression with 0 or more spaces between the alert and (.

But my question remains. If I comment out this code, does Sentinel protect against alert and http-equiv (whatever that is)? I guess I will grep the Sentinel code.
 
evaders99
PostPosted: Wed Aug 30, 2006 1:41 pm Reply with quote

Does the space affect the usage in Javascript? I haven't tested it myself
 
montego
PostPosted: Thu Aug 31, 2006 2:12 am Reply with quote

I have looked at the original code you posted and the mainfile.txt file edits and NO, the ones you posted should NOT be commented out! They are no-where to be found in the mainfile.txt core edits file....
 
Gremmie
PostPosted: Thu Aug 31, 2006 11:14 am Reply with quote

Hi -

I know they are not in the mainfile.txt core edits file. However it seems like a huge sledgehammer to reject a forum post because it contains the word union. It has already happened a few times. It seems to work okay here. Doesn't Sentinel handle union in a more intelligent way than the code I posted? I would guess so, cause I can post here, and this site runs Sentinel....right?

Assuming Sentinel handles union, then I only have to deal with alert and the http-equiv. I will probably do what evaders99 suggests for alert (but I will look into the spaces) and just leave the http-equiv check. Thats not too likely to come up in casual conversation on my board.

That is, unless someone can tell me that alert and http-equiv are already handled by Sentinel. In that case I probably could remove all of that code.

Comments?

(BTW, does anyone know what the concern with http-equiv is? I like to understand things and not just blindly carry them forward).
 
evaders99
PostPosted: Thu Aug 31, 2006 11:28 am Reply with quote

http-equiv is used as a META tag to add HTML headers Only registered users can see links on this board! Get registered or login!

It can do nasty or unexected stuff like refresh the page to another page, change the target window, even set cookies.
 
Gremmie
PostPosted: Sat Sep 02, 2006 1:53 pm Reply with quote

You can have spaces between the function name and opening ( in javascript.

Try this in your browser's URL/address bar:

Code:


javascript: alert          ('hi');
 
evaders99
PostPosted: Wed Sep 06, 2006 12:29 pm Reply with quote

We're going to have to use regular expressions then to detect it. Arg
 
Gremmie
PostPosted: Mon Dec 25, 2006 10:56 pm Reply with quote

Bump.

I just upgraded to 2.5.04 (thanks team! - donation on the way).

Just to recap, 7.9 (at least) has this weird chunk of code not mentioned in the core edits section that sends you to the index.php page if your post contains union, alert, or http-equiv (see the first message in this thread).

I'm assuming Nuke Sentinel protects against this stuff already, and I can remove this troublesome bit of code. Correct?

As it stands, my users can't make forum posts with the word union or alert in them. I noticed that you can on this site. Thanks.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Tue Dec 26, 2006 12:48 am Reply with quote

I know union is now handled differently so that could probably be removed in mainfile. The others I'm not sure about, might be worth checking includes/nukesentinel.php to be sure.

It would be really nice to have a proper list of words or strings that NS 'blocks' in its default mode as I suspect there are a great many users that wouldn't be able to read the 'code' and work it out - and that includes me!
 
View user's profile Send private message Send e-mail
montego
PostPosted: Tue Dec 26, 2006 2:07 pm Reply with quote

I could have sworn that the 2.5.03 instructions had comments in the installation instructions to remove that code in mainfile.php.
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Tue Dec 26, 2006 4:41 pm Reply with quote

I am pretty sure that section of code is commented out in the upcoming RN2.10 release. We had a pretty extensive discussion a while back and (a) there is a bug in the logic of the code in 2.02 and prior mainfiles that essentially removes the administrative exemption and (b) Sentinel protects against the same thing. Somewhere in another thread I posted a fix to the current mainfile logic that fixes the logic ... something to do with the number of parentheses.

I believe but I am not sure and don't have the energy to verify it right now that 2.10 is proceeding based on Sentinel protecting against the same threats. But there are a couple permutations of threats discussed earlier in this thread that we might want to go back and look at.
 
View user's profile Send private message Visit poster's website
binhaus
Hangin' Around


Joined: Oct 17, 2006
Posts: 25

PostPosted: Tue Apr 03, 2007 7:50 am Reply with quote

HI
i have exact problems here..
my nuke realy patched to 3.2 and using NS 2.5,05
not update to 2.507 yet

in the intruction that say comment out both type of the code in fist two post here...
seem NS fix that problems realy .. without using code of mainfile.php
but why my forums can not post any thinh have arlert or union words ??

any help ???..
thanks
 
View user's profile Send private message
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©