Author |
Message |
Dauthus
Worker
Joined: Oct 07, 2003
Posts: 211
|
Posted:
Tue Aug 01, 2006 9:31 am |
|
Here's the report from Sentinel:
Code:User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Query String: [ Only registered users can see links on this board! Get registered or login! ]
Get String: [ Only registered users can see links on this board! Get registered or login! ]
Post String: [ Only registered users can see links on this board! Get registered or login! ] Forwarded For: none Client IP: none Remote Address: 72.64.111.144 Remote Port: 60995 Request Method: GET
|
It appears this is a valid string within the Gallery 2 module. Anyone have a suggestion for a way to bypass the Filter for the Gallery 2 module? |
_________________
Vivere disce, cogita mori |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
Posted:
Tue Aug 01, 2006 8:11 pm |
|
This an issue with the http being referenced in the link. It was actually introduced in one of the later 2.4.2 pl patches to stop the flood of hacks going on with the phpbb forums.
I cannot post the exact line for obvious reasons, but look in includes/nukesentinel.php for this line here:
// Check for XSS attack
The next line below that is the IF statement following by another line right after that is very generic to catching http. Comment out that line.
However, I must warn you that it is a risk. I know there is a thread on this somewhere, but am not where I can very easily look for it. It may be in the 2.4.2 forum. |
_________________ Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
Dauthus
|
Posted:
Tue Aug 01, 2006 10:27 pm |
|
Nuts. I thought this may have been a new one. I thought it was already fixed from this post:
[ Only registered users can see links on this board! Get registered or login! ]
This is a new query that is causing it. This is using the gallery search, not the upload feature. Would it still be the XSS causing this? I applied the fix mentioned in the post, and it fixed the issue with the upload feature.
I just didn't know which part of the code was causing the problem, if the http bypass works on one string and not another. |
|
|
|
|
montego
|
Posted:
Wed Aug 02, 2006 5:32 am |
|
Ok, this is definitely odd. I re-read your other posts (sorry, did not recall that the last thread was from you...). What was your final XSS filter code that you came up with? Would you please post it here (I see now that is doesn't trip NS). |
|
|
|
|
Dauthus
|
Posted:
Wed Aug 02, 2006 6:14 pm |
|
Code:// Check for XSS attack
if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
// Added protection for gallery2 module
//OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "http://") AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2"))
// END gallery2 protection
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}
|
The only other change was adding an exception for MS_Topsites as members trying to report a cheat were being banned also. Both of them do not cause a ban now. It's just this new string in the gallery2 module that is being banned.
UPDATE: I have found clicking on "Advanced Search" in the gallery2 module causes a ban similar to this. Still haven't figured out why.
AFTER THOUGHT: Would it be possible to engineer a database driven string protection (reverse of string blocker) addon in the admin panel. This way a user could copy and paste the valid string and add it to the database as a protected string. This way it would be site specific, and no one on the outside would know any different. |
|
|
|
|
montego
|
Posted:
Thu Aug 03, 2006 6:13 am |
|
Try this first: Modify your changed line to only look for the string "gallery2".
If that doesn't work, comment out the line altogether.
I am really struggling to see which one of these conditions are tripping this.
Regarding your "AFTER THOUGHT" comment, it sounds like a great idea. I would suggest posting this in the NukeSentinel Enhancement Requests forum. |
|
|
|
|
|