Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
Misha
Worker
Worker


Joined: Jul 30, 2006
Posts: 203
Location: McLean, VA

PostPosted: Thu Aug 23, 2007 9:12 pm Reply with quote

Hi guys,

Could anybody tell me what in this innocent string could trigger script blocker, and how to deal with that?

www .funandsafedriving.com/modules.php?name=XXXX&op=xxxx&stateField=&a1=1815+sunnyside+road&c1=van+buren&s1=ar&z1=72956&a2=12500+"K"+plaza&c2=omaha&s2=ne&z2=68137

Thanks, Misha

_________________
Only registered users can see links on this board! Get registered or login!

Last edited by Misha on Sun Aug 26, 2007 6:03 pm; edited 1 time in total 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Aug 24, 2007 1:10 am Reply with quote

You will need to post what strings you are blocking.
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Fri Aug 24, 2007 6:51 am Reply with quote

If you are being blocked by the script blocker then it would be the one that parses Get strings (there's a separate one for posts). The actual code is:

Code:
   foreach($_GET as $sec_key => $secvalue) {

                  $diagnos .= 'get ' . $sec_key . ' is ' . $secvalue . ' || ';
      if((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]style*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]body*\"?[^>]*>", $secvalue)) ||
      (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
      (eregi("\"", $secvalue)) ||
      (eregi("forum_admin", $sec_key)) ||
      (eregi("inside_mod", $sec_key))) {
           $diagnos .= ' eregi met in get section ';
        // block_ip($blocker_row);


In this code I've inserted a diagnostic variable which I was using to test what was happening. I don't see anything in your posted get string that would trigger this blocker. But I'm not an eregi expert by a long shot. Since this is open source it would be extremely helpful if someone would post a "get string blocker for dummies" document that would interpret exactly what is getting blocked here.

Short of putting my diagnostics in to your code and echoing them in the footer you could confirm that this blocking is taking place by temporarily turning the scripting blocker off and seeing if the same get string gets thru.
 
View user's profile Send private message Visit poster's website
Misha
PostPosted: Fri Aug 24, 2007 5:52 pm Reply with quote

Fkelly,

Thanks, perfect shot. Those are double quotes for sure. And they are absolutely legitimate here - somebody if just typing in an address to get driving directions... Now, how do I deal with those? Delete this eregi statement for double quotes? Or there is more civilized way like something I can configure using interface, other than disabling script cheking altogether?

Raven,

You have been lightning fast. Yes, I forgot to post the string, but I realized this immediately, and within two minutes edited the post Very Happy
 
fkelly
PostPosted: Fri Aug 24, 2007 6:27 pm Reply with quote

Misha, you are better at reading eregi's than I am, that's for sure. I'd guess you could modify that eregi to eliminate checking for them (the double quotes). It would be nice to know though exactly what went into developing those eregi's and what they are supposed to check for. I've had fits trying to interpret the similar eregi's for POST strings. For instance it seems to check for tbody with any other character before it. A lot of stuff that gets pasted in from Word documents has tbody in it and I believe that the built in wysiwyg editor generates them too. So we kind of have our software fighting against itself.

I think you are talking about a script blocker here and not a string blocker. Right?
 
Misha
PostPosted: Fri Aug 24, 2007 6:47 pm Reply with quote

Fkelly,

No, I just eyeballed the string before and my best guess was double quotes, so I just looked for them in the code you posted Wink

Yeah, sure I meant script cause sentinel gives me abuse-script message with that.

Well, I'm just wondering how dangerous it is to allow double quotes? Is there any real danger in this? Isn't this a kind of over-protection that I often believe is the nature of sentinel? Don't get me wrong, sentinel is a great product and I'm glad I have it - I believe it's the best available. But with any protection you need a balance between risk and reward, and I look at those balances slightly differently than Bob.

Thanks, Misha
 
fkelly
PostPosted: Fri Aug 24, 2007 7:25 pm Reply with quote

Misha, I've had some of the same questions you do. But Bob, and any collaborators he had on Sentinel, obviously went thru a great deal of work to come up with what they did. So I am very cautious in just "turning it off" by turning off the Script filters or trying to modify code that I don't fully understand. Hopefully Bob and/or Raven can be induced to stop by here and address this in greater detail. I don't pretend to be able to.
 
Raven
PostPosted: Fri Aug 24, 2007 8:29 pm Reply with quote

That code is actually regular nuke code that we took out of mainfile.php as we felt it was better placed in NukeSentinel(tm). We may have doctored it up a little but quotes have always been in the eregi. The main reason is that allowing quotes in certain form strings very easily allows SQL injection depending on how the query is written. And we all know that *nuke is infamous for bad coding.
 
Misha
PostPosted: Fri Aug 24, 2007 8:38 pm Reply with quote

Thanks guys.

Something to think about... I guess I'm going to try to modify the code to allow quotes only for one module. This will minimize the risk somewhat. I don't want to lose clients, and such things happen once a week on average probably.

Thanks, Misha
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©