Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Cirque
Hangin' Around


Joined: Oct 10, 2004
Posts: 35

PostPosted: Sat Nov 06, 2004 7:26 pm Reply with quote

Date & Time: 2004-11-06 16:31:19
Blocked IP: XX.XX.XX.XX
User ID: SOMEUSERNAME (####)
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: XX.XX.XX.XX
Remote Port: 12141
Request Method: GET

============
Why is the above (EDITED) triggering off as bad and blocking that user because of filters?
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Nov 06, 2004 9:14 pm Reply with quote

"concat" is a filtered word that XSS sometimes use.

Look for this code in includes/sentinel.php
Code:
  // Check for XSS attack

  if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {


Remove it or comment it out at your own risk.
 
View user's profile Send private message
Cirque
PostPosted: Sat Nov 06, 2004 9:40 pm Reply with quote

Thats a bummer, its a command listed in my enclyopedia which users sometime search for. Is there anything more that I could add instead of removing it? "concat<SOMELETTER>" like "concatb" if there was more to that string usually sent?
 
Cirque
PostPosted: Sat Nov 06, 2004 9:43 pm Reply with quote

Perhaps:
Code:


  if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring) AND !eregi("y=concat",$querystring)) {

Would work?
 
Raven
PostPosted: Sat Nov 06, 2004 9:45 pm Reply with quote

Try it and find out Wink
 
Cirque
PostPosted: Sat Nov 06, 2004 9:58 pm Reply with quote

Nope.. sure doesnt work. And searching for concat here is not a good idea. When I clicked on the resulting searchs found, I got sentinel'ed. heh. So any ideas on anything I can add to the word concat that would be used in the attack but not trigger if they only search for exactly concat?
 
Raven
PostPosted: Sat Nov 06, 2004 10:07 pm Reply with quote

Try your search again.
 
Cirque
PostPosted: Sat Nov 06, 2004 10:10 pm Reply with quote

That worked, I was able to search here and click through on the result without being banned.
 
Raven
PostPosted: Sat Nov 06, 2004 10:17 pm Reply with quote

Just comment it out.
 
Cirque
PostPosted: Sat Nov 06, 2004 10:21 pm Reply with quote

Oh.. well you had me a little worried that someone would XSS attack me if I did that.. was hoping for a way to be safe and still allow people to search for concat. Oh well.. guess I can unban them all the time.
 
Raven
PostPosted: Sat Nov 06, 2004 10:24 pm Reply with quote

There is but I am involved in a project right now and can't tend to it. If someone else doesn't help you with this get back to me in a day or so.
 
Cirque
PostPosted: Sat Nov 06, 2004 10:30 pm Reply with quote

Ya, no rush, I will check back in a couple, rather unban a couple people now and again then open up holes whenever possible.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©