| Author |
Message |
Misha
Worker
Joined: Jul 30, 2006
Posts: 205
Location: McLean, VA
|
 Posted:
Thu Aug 23, 2007 9:12 pm |
|
Hi guys,
Could anybody tell me what in this innocent string could trigger script blocker, and how to deal with that?
www .funandsafedriving.com/modules.php?name=XXXX&op=xxxx&stateField=&a1=1815+sunnyside+road&c1=van+buren&s1=ar&z1=72956&a2=12500+"K"+plaza&c2=omaha&s2=ne&z2=68137
Thanks, Misha |
_________________
http://www.funandsafedriving.com/defensive-driving.html
Last edited by Misha on Sun Aug 26, 2007 6:03 pm; edited 1 time in total |
|
 
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Aug 24, 2007 1:10 am |
|
You will need to post what strings you are blocking. |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Fri Aug 24, 2007 6:51 am |
|
If you are being blocked by the script blocker then it would be the one that parses Get strings (there's a separate one for posts). The actual code is:
Code: foreach($_GET as $sec_key => $secvalue) {
$diagnos .= 'get ' . $sec_key . ' is ' . $secvalue . ' || ';
if((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]body*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $sec_key)) ||
(eregi("inside_mod", $sec_key))) {
$diagnos .= ' eregi met in get section ';
// block_ip($blocker_row);
|
In this code I've inserted a diagnostic variable which I was using to test what was happening. I don't see anything in your posted get string that would trigger this blocker. But I'm not an eregi expert by a long shot. Since this is open source it would be extremely helpful if someone would post a "get string blocker for dummies" document that would interpret exactly what is getting blocked here.
Short of putting my diagnostics in to your code and echoing them in the footer you could confirm that this blocking is taking place by temporarily turning the scripting blocker off and seeing if the same get string gets thru. |
| |
|
|
|
|
Misha
|
| Posted:
Fri Aug 24, 2007 5:52 pm |
|
Fkelly,
Thanks, perfect shot. Those are double quotes for sure. And they are absolutely legitimate here - somebody if just typing in an address to get driving directions... Now, how do I deal with those? Delete this eregi statement for double quotes? Or there is more civilized way like something I can configure using interface, other than disabling script cheking altogether?
Raven,
You have been lightning fast. Yes, I forgot to post the string, but I realized this immediately, and within two minutes edited the post  |
| |
|
|
|
|
fkelly
|
| Posted:
Fri Aug 24, 2007 6:27 pm |
|
Misha, you are better at reading eregi's than I am, that's for sure. I'd guess you could modify that eregi to eliminate checking for them (the double quotes). It would be nice to know though exactly what went into developing those eregi's and what they are supposed to check for. I've had fits trying to interpret the similar eregi's for POST strings. For instance it seems to check for tbody with any other character before it. A lot of stuff that gets pasted in from Word documents has tbody in it and I believe that the built in wysiwyg editor generates them too. So we kind of have our software fighting against itself.
I think you are talking about a script blocker here and not a string blocker. Right? |
| |
|
|
|
|
Misha
|
| Posted:
Fri Aug 24, 2007 6:47 pm |
|
Fkelly,
No, I just eyeballed the string before and my best guess was double quotes, so I just looked for them in the code you posted 
Yeah, sure I meant script cause sentinel gives me abuse-script message with that.
Well, I'm just wondering how dangerous it is to allow double quotes? Is there any real danger in this? Isn't this a kind of over-protection that I often believe is the nature of sentinel? Don't get me wrong, sentinel is a great product and I'm glad I have it - I believe it's the best available. But with any protection you need a balance between risk and reward, and I look at those balances slightly differently than Bob.
Thanks, Misha |
| |
|
|
|
|
fkelly
|
| Posted:
Fri Aug 24, 2007 7:25 pm |
|
Misha, I've had some of the same questions you do. But Bob, and any collaborators he had on Sentinel, obviously went thru a great deal of work to come up with what they did. So I am very cautious in just "turning it off" by turning off the Script filters or trying to modify code that I don't fully understand. Hopefully Bob and/or Raven can be induced to stop by here and address this in greater detail. I don't pretend to be able to. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Aug 24, 2007 8:29 pm |
|
That code is actually regular nuke code that we took out of mainfile.php as we felt it was better placed in NukeSentinel(tm). We may have doctored it up a little but quotes have always been in the eregi. The main reason is that allowing quotes in certain form strings very easily allows SQL injection depending on how the query is written. And we all know that *nuke is infamous for bad coding. |
| |
|
|
|
|
Misha
|
| Posted:
Fri Aug 24, 2007 8:38 pm |
|
Thanks guys.
Something to think about... I guess I'm going to try to modify the code to allow quotes only for one module. This will minimize the risk somewhat. I don't want to lose clients, and such things happen once a week on average probably.
Thanks, Misha |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
