Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
kevinkap
Involved
Involved


Joined: Apr 22, 2006
Posts: 356

PostPosted: Fri Mar 30, 2007 2:40 pm Reply with quote

Ok, on a site running rn2.02.02 with sentinel 2.5.07. I have a subscription module that takes a payment and runs it through paypal. There was an issue with the subscribers automatically being added to the database after payment.
The fix is to remove these lines of code in includes/sentinel.php

Code:
/ Invalid user agent

if($nsnst_const['user_agent']=="none" AND !stristr($_SERVER['PHP_SELF'], "backend.php") AND ($nsnst_const['remote_ip'] != $nsnst_const['server_ip'])) {
  echo abget_template("abuse_invalid2.tpl");
  die();
}


Is this safe to do?

_________________
Kevin Kappes 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Fri Mar 30, 2007 3:52 pm Reply with quote

I'm wondering if you could limit this exception to when the subscription module is running. Often the variable $name has the name of the module, you might try echoing that out and see if it's in there and then include the test in an if ... like if($name != "my subscription module name"). I suppose a hacker could fake that but it would be more work.

There are others here who are more expert than I in this but that's an initial suggestion.
 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Fri Mar 30, 2007 7:13 pm Reply with quote

The invalid user agent can be configured so it doesn't trigger an error. This doesn't really block attack, but the possibility of attacks caused by a visitor with an invalid user agent. Most attacks seems to spoof the user agent away, so I'm not sure how effective this is anyway.

Another option is to modify the if statement to include whichever file name the IPN payment is returning to (see the backend.php logic).

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©