Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
Susann
Moderator



Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Fri Dec 16, 2005 7:19 pm Reply with quote

Since I added the line for the cleanstring in includes/nukesentinel.php I ´ve got some errors like this one:

Warning: base64_decode() expects parameter 1 to be string, array given in /www/htdocs/xxx/includes/nukesentinel.php on line 58,59,60.
Was my fault. Fixed it, but all links of the tracked IPs in NukeSentinel looks like this with great letters:
Quote:

/modules.php?NAME=NEWS&FILE=ARTICLE&SID=98
/modules.php?NAME=NEWS&FILE=ARTICLE&SID=18
/modules.php?NAME=SURVEYS&OP=RESULTS&POLLID=12
/modules.php?NAME=CONTENT&PA=SHOWPAGE&PID=4
/modules.php?NAME=FORUMS&FILE=VIEWFORUM&F=30


And if I click the links I get" Sorry, you can t acces this file directly".However it changes from time to time and the links are normal again.
The db warning for nsnst_tracked_ips is translated and it´s something like:


The index types Index and PRIMARY should not be set for the column 'tid' at the same time.

I´ believe it´s not the cleanstring but something in the nukesentinel.php or is it the database ? How can I fix this problem ?
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sat Dec 17, 2005 1:49 am Reply with quote

That would be a consequence of the "fix". My concern was stopping the exploit, not even thinking about the admin internals Rolling Eyes. I will get a fix out later today. Thanks for bringing this to my attention Wink
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce



Joined:
Posts: 5661

PostPosted: Sat Dec 17, 2005 5:24 am Reply with quote

yeah i see,it also shows in the mails it sends..
like...Query String: modules.php?NAME=FORUMS
 
View user's profile Send private message
Raven







PostPosted: Sat Dec 17, 2005 7:35 am Reply with quote

hitwalker wrote:
yeah i see,it also shows in the mails it sends..
like...Query String: modules.php?NAME=FORUMS
That I expected. I knew everything would be in caps and I felt that wasn't a big issue. But, links make a difference. I'll get this 'adjusted' in a bit.
 
Raven







PostPosted: Sun Dec 18, 2005 12:03 am Reply with quote

There is much buzz out there right now on an exploit with Search and possibly Web Links modules. First of all this is NOT a new exploit. I beleive that Chatserv patched these back in c2.9 or 3.x. In any event, to protect yourself you should always apply the latest patches from Chatserv (presently 3.1) and always have the latest version of NukeSentinel(tm) (presently v2.4.2). The exploits are non existent and harmless to those sites that stay up to date.

However, if you find that your site is vulnerable due to either having been hacked or you know it's not up to date, you can patch it like this.

Edit includes/nukesentinel.php file

FIND AND REPLACE THIS ENTIRE FUNCTION (UPDATED 12/18/2005
Code:
function st_clean_string($cleanstring) {}


WITH THIS

Code:
function st_clean_string($cleanstring) {

  $st_fr1 = array("%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09", "%10", "%11", "%12", "%13", "%14", "%15", "%16", "%17", "%18", "%19", "%20", "%21", "%22", "%23", "%24", "%25", "%26", "%27", "%28", "%29", "%30", "%31", "%32", "%33", "%34", "%35", "%36", "%37", "%38", "%39", "%40", "%41", "%42", "%43", "%44", "%45", "%46", "%47", "%48", "%49", "%50", "%51", "%52", "%53", "%54", "%55", "%56", "%57", "%58", "%59", "%60", "%61", "%62", "%63", "%64", "%65", "%66", "%67", "%68", "%69", "%70", "%71", "%72", "%73", "%74", "%75", "%76", "%77", "%78", "%79");

  $st_to1 = array("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", " ", "!", "\"", "#", "$", "%", "&", "'", "(", ")", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "`", "a", "b", "c", "d", "e", "f", "g", "h", "i", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y");

  $st_fr2 = array("%0A", "%0B", "%0C", "%0D", "%0E", "%0F", "%1A", "%1B", "%1C", "%1D", "%1E", "%1F", "%2A", "%2B", "%2C", "%2D", "%2E", "%2F", "%3A", "%3B", "%3C", "%3D", "%3E", "%3F", "%4A", "%4B", "%4C", "%4D", "%4E", "%4F", "%5A", "%5B", "%5C", "%5D", "%5E", "%5F", "%6A", "%6B", "%6C", "%6D", "%6E", "%6F", "%7A", "%7B", "%7C", "%7D", "%7E", "%7F", "%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%1a", "%1b", "%1c", "%1d", "%1e", "%1f", "%2a", "%2b", "%2c", "%2d", "%2e", "%2f", "%3a", "%3b", "%3c", "%3d", "%3e", "%3f", "%4a", "%4b", "%4c", "%4d", "%4e", "%4f", "%5a", "%5b", "%5c", "%5d", "%5e", "%5f", "%6a", "%6b", "%6c", "%6d", "%6e", "%6f", "%7a", "%7b", "%7c", "%7d", "%7e", "%7f");

  $st_to2 = array("", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "", "", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "");

  $cleanstring = str_replace($st_fr1, $st_to1, $cleanstring);
  $cleanstring = str_replace($st_fr2, $st_to2, $cleanstring);
  return $cleanstring;
}
 
hitwalker







PostPosted: Sun Dec 18, 2005 4:53 am Reply with quote

huh?

Ok but ....
But what about the this line we added before?...
Code:


$cleanstring = str_replace($cleanstring,strtoupper($cleanstring),$cleanstring);
 
Raven







PostPosted: Sun Dec 18, 2005 5:59 am Reply with quote

Well, since that's the line that caused the hyperlink problems, doesn't it seem logical that I took it out Laughing?
 
hitwalker







PostPosted: Sun Dec 18, 2005 6:29 am Reply with quote

oh but i can imagine that some dont understand that...
 
Raven







PostPosted: Sun Dec 18, 2005 6:39 am Reply with quote

it shouldn't matter. My instructions say to FIND AND REPLACE THIS ENTIRE FUNCTION (UPDATED 12/18/2005. Can it be any plainer?
 
hitwalker







PostPosted: Sun Dec 18, 2005 6:43 am Reply with quote

Well,at first i didnt even noticed you wrote..."entire function"..
But there's nothing wrong with a "to be shure" question...lol Smile
 
Susann







PostPosted: Sun Dec 18, 2005 9:56 am Reply with quote

Ít seems that doesn´t work for me. Raven, if you are interested I´ll send you my ftp password.
 
Raven







PostPosted: Sun Dec 18, 2005 10:05 am Reply with quote

I sent you the script I used for testing. Let me know what isn't happening. Maybe I missed something again Smile
 
Susann







PostPosted: Sun Dec 18, 2005 3:51 pm Reply with quote

Thank you for your quick reply and the information. I was only wondering about the behavior of the tracked links and the database.It´s okay and the links in the emails are also correct. Smile
 
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Dec 19, 2005 4:12 pm Reply with quote

Did the replace on my test server and it bombs out ... evidence of a php syntax error.

Looked at code:
Code:
$cleanstring = str_replace($st_fr1, $st_to1, $cleanstring);

  $cleanstring = str_replace($st_fr2, $st_to2, $cleanstring);
  return $cleanstring;
}


and don't you mean to replace $st_fr1 with $st_fr2 and correspondingly $st_to1 with $st_to2? PHP manual indicates that first input is what's replaced, second is what it is replaced with and third is the "subject" which is the query string in this case. I'd say that with more assurance except that the replaced code also bombs on my server. I think I will enable more error reporting.

Later: have to run but I think there are also problems with the to2 array, codes duplicated and I doubt the number of array elements match with to1. Assuming that's the intent and my understanding of what's going on is admittedly shaky.
 
View user's profile Send private message Visit poster's website
Raven







PostPosted: Mon Dec 19, 2005 4:22 pm Reply with quote

Something is wrong with your copy/paste or other code. That code is correct and is running on this site and many others. You are misreading the manual. The manual states:

mixed str_replace ( mixed search, mixed replace, mixed subject [, int &count] )

So, that means Find mixed search=$st_fr1, Replace with mixed replace=$st_to1, mixed subject=$cleanstring.

And there is nothing wrong with the arrays Smile
 
Raven







PostPosted: Mon Dec 19, 2005 4:32 pm Reply with quote

Here is a quick script I just wrote to verify the counts.
Code:
<?

//
// Script to verify the counts of all from and to arrays
//
  $st_fr1 = array("%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09", "%10", "%11", "%12", "%13", "%14", "%15", "%16", "%17", "%18", "%19", "%20", "%21", "%22", "%23", "%24", "%25", "%26", "%27", "%28", "%29", "%30", "%31", "%32", "%33", "%34", "%35", "%36", "%37", "%38", "%39", "%40", "%41", "%42", "%43", "%44", "%45", "%46", "%47", "%48", "%49", "%50", "%51", "%52", "%53", "%54", "%55", "%56", "%57", "%58", "%59", "%60", "%61", "%62", "%63", "%64", "%65", "%66", "%67", "%68", "%69", "%70", "%71", "%72", "%73", "%74", "%75", "%76", "%77", "%78", "%79");

  $st_to1 = array("", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", " ", "!", "\"", "#", "$", "%", "&", "'", "(", ")", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "`", "a", "b", "c", "d", "e", "f", "g", "h", "i", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y");

  $st_fr2 = array("%0A", "%0B", "%0C", "%0D", "%0E", "%0F", "%1A", "%1B", "%1C", "%1D", "%1E", "%1F", "%2A", "%2B", "%2C", "%2D", "%2E", "%2F", "%3A", "%3B", "%3C", "%3D", "%3E", "%3F", "%4A", "%4B", "%4C", "%4D", "%4E", "%4F", "%5A", "%5B", "%5C", "%5D", "%5E", "%5F", "%6A", "%6B", "%6C", "%6D", "%6E", "%6F", "%7A", "%7B", "%7C", "%7D", "%7E", "%7F", "%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%1a", "%1b", "%1c", "%1d", "%1e", "%1f", "%2a", "%2b", "%2c", "%2d", "%2e", "%2f", "%3a", "%3b", "%3c", "%3d", "%3e", "%3f", "%4a", "%4b", "%4c", "%4d", "%4e", "%4f", "%5a", "%5b", "%5c", "%5d", "%5e", "%5f", "%6a", "%6b", "%6c", "%6d", "%6e", "%6f", "%7a", "%7b", "%7c", "%7d", "%7e", "%7f");

  $st_to2 = array("", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "", "", "", "", "", "", "", "", "", "", "", "", "", "*", "+", ",", "-", ".", "/", ":", ";", "<", "=", ">", "?", "J", "K", "L", "M", "N", "O", "Z", "[", "\\", "]", "^", "_", "j", "k", "l", "m", "n", "o", "z", "{", "|", "}", "~", "");


echo '<br /><br />$st_fr1 count = '.count($st_fr1);
echo '<br /><br />$st_to1 count = '.count($st_to1);
echo '<br /><br />$st_fr2 count = '.count($st_fr2);
echo '<br /><br />$st_to2 count = '.count($st_to2);
?>


You will see it shows

$st_fr1 count = 80

$st_to1 count = 80

$st_fr2 count = 96

$st_to2 count = 96
 
fkelly







PostPosted: Mon Dec 19, 2005 5:08 pm Reply with quote

Okay, sorry. Tomorrow after a cup of coffee I will try to see what's wrong with my copy paste skills. It really looked like a simple task to me and I can't imagine how I could have screwed it up. Believe it or not I do know what a function is supposed to look like in PHP. Thanks again for all you do.
 
fkelly







PostPosted: Tue Dec 20, 2005 8:28 am Reply with quote

I was awake half the night wondering how I screwed up the copy and paste. It was too cold in the computer room to look though. I was convinced that the problem was not in my copy and paste but in my mods. In the thread:

http://www.ravenphpscripts.com/posts6368-highlight-.html

In the last two posts I gave a proposed mod for Sentinel to deal with problems in the last 1.x release of Gallery. Viperlord had previously developed a "fix" within Gallery but then the Gallery project changed the way their code worked and I couldn't figure out how to fix that any more so I made some changes to Sentinel instead. Basically, the issue is that three Gallery "commands" -- highlight, show and hide get filtered out by Sentinel in it's native state.

My mod has been working on my production system for the last couple weeks but after the copy and paste problem last night I was convinced that there might be an incompatibility between the new cleanstring function and my mod. As usual what's obvious wasn't true. I had somehow, in the process of copying and pasting wiped out the function "get query_string" that follows the cleanstring function in NS. After fixing that I have my mod for Gallery working with NS adn the new cleanstring.

I still feel uneasy with the validity of the "fix" I proposed and if someone with more expertise than I has a chance to look at it and comment it would be greatly appreciated. I realize that making Sentinel work properly with Gallery may not be a top priority of course.

Thanks again and I will always drink coffee rather than wine before doing any more copy and pasting.
 
Raven







PostPosted: Tue Dec 20, 2005 9:06 am Reply with quote

The filtering of commands that are used for cracking has always presented a problem. The problem is that I always seem too busy to devote the time to an elaborate algorithm to "disallow X except in the case of Y and only if Z ... etc.". And, since we are working with an interpreted scripting language that is a top down 2 pass construct, that compounds the possible approaches. I have some ideas but just haven't had the time to test and develop them (yet). So for right now it's more of collateral damage, if you will.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©