Why won't my news add this?

tina · Regular Joined: Aug 15, 2006 Posts: 66

Quote:

On August 24, 2006, the International Astronomical Union formally downgraded Pluto from an official planet to a dwarf planet. Following many years of controversial debate since its discovery in 1930 and following hot on the heals of the discovery of another small planet Xena in our solar system, which turns out to be 5 percent larger than Pluto, the IAU have changed the definition of what makes a planet, a planet.

I'm trying to add the above text to my news module but it just keeps redirecting me to the main page of the site, even when previewing. I've got no clue why it won't add it. It seems to add the word "test" fine.

tina · Regular Joined: Aug 15, 2006 Posts: 66

If I ty to add "On August 24, 2006, the International Astronomical Union" it adds fine but has a problem with the word formally..... Though If I just try to publish the word formally by its self, it'll do that. I don't understand ??????

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5354

It's the word Union. Change the letter o to the number zero (0). NukeSentinel doesn't like union because it's used in all kinds of attacks.

tina · Regular Joined: Aug 15, 2006 Posts: 66

Oh... If I take out the world "Union" from the entire paragraph it will post it. However when I just tried to post the start of the paragraph up to and including Union it allowed it to preview. This is like. Wierd. Ummmm how do I stop this from happening?

tina · Regular Joined: Aug 15, 2006 Posts: 66

Sorry Kguske, was posting and editing as you posted.

Is there anyway to stop that apart from changing the letter o to 0? I mean its the name of an organisation that I'd like to represent correctly on my site. And one that will probably be used often.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5354

What version of NukeSentinel are you using? I think it's gone back and forth on how it stops union attacks...

tina · Regular Joined: Aug 15, 2006 Posts: 66

NukeSentinel(tm) 2.5.02

I ended up just putting a space in the name though I'd still like to be able to post it correctly. - though if it means having security less tight then I'll stick to putting a space in the name.

(thanks for your help btw)

Trubador · Regular Joined: Dec 28, 2004 Posts: 94

Im using 2.5.1 and ravens latest distro and just found the same problem.

If I type "Union Jack" and post in the forums its OK.

If I type "The Union Jack" it bins out to the main page.

If I turn off the Union blocker its works fine so it is directly related.

Should I post this in the Sentinel forums?

Trub

jaded · Theme Guru Joined: Nov 01, 2003 Posts: 1005

I wouldnt turn the union protection off. That is a huge risk. We all have simply resigned ourselves to adding a space or the letter o to the number 0. It is worth it to avoid the union exploits. At least for most of us.

Trubador · Regular Joined: Dec 28, 2004 Posts: 94

Sorry Jaded, I wrote that very badly.

On NO account have I or should anyone leave theirselves open to exploit.

Smile

Trub

jaded · Theme Guru Joined: Nov 01, 2003 Posts: 1005

no need for sorry. I just wanted to be sure that somebody who read that did not think it was okay to turn off their protection lol.

srhh · Involved Joined: Dec 27, 2005 Posts: 296

Raven gave me a workaround for this awhile ago that doesn't alter the way the word looks. Paste the article into word or frontpage if you have it and replace all instances of union with & # 1 1 7 ; nion
& # 1 1 7 ; is ascii for u. So it'll actually show up as union when you post.
NOTE: I had to put spaces inbetween the & # 1 1 7 ; because otherwise it wasn't showing up right in the post. Don't put spaces inbewteen those characters when you are replacing the letter.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5354

Once again, circumvention is the key to all progress.

For the record, it's &#177 followed by ; (the forums disguises it).

Trubador · Regular Joined: Dec 28, 2004 Posts: 94

Nice one guys...... and gals.

Cheers for the work around.

I wont be able to post back if I need to till next wednesday.

Jaded I dont normally post like this..... I'm having a few probs with my main website and lost my sence of humour..... I think my posts are becoming robotic Smile

Oooooooo......... I may need some proper advise and I know I can come to you guys for it....... I've Gone off topic.......

Cheers again.

Trub

fkelly · Posted: Thu Aug 31, 2006 6:48 pm

While circumvention has it's virtues, the real problem here lies in mainfile.php and not Sentinel and it's fixed for the next release of Ravennuke. There was a missing parenthesis in a very complex set of logic. For now circumvent.

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 5458

I was actually testing that very thing today in the files for the next release - good job FK

manunkind · Posted: Fri Sep 01, 2006 6:42 am

fkelly wrote:

While circumvention has it's virtues, the real problem here lies in mainfile.php and not Sentinel and it's fixed for the next release of Ravennuke. There was a missing parenthesis in a very complex set of logic. For now circumvent.

Will this fix be published anywhere so that we can fix our sites?

fkelly · Posted: Fri Sep 01, 2006 7:40 am

Well with the usual caveats ... back things up, test the results, know what you are doing with coding ... you can find this code in mainfile (before version is from RN2.02)

BEFORE:

Code:

$postString = "";
foreach ($_POST as $postkey => $postvalue) {
if ($postString > "") {
$postString .= "&".$postkey."=".$postvalue;
} else {
$postString .= $postkey."=".$postvalue;
}
}
str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if ((!isset($admin) OR (isset($admin) AND !is_admin($admin))) AND (stristr($postString,'%20union%20')) OR (stristr($postString,'*/union/*')) OR (stristr($postString,' union ')) OR (stristr($postString_64,'%20union%20')) OR (stristr($postString_64,'*/union/*')) OR (stristr($postString_64,' union ')) OR (stristr($postString_64,'+union+')) OR (stristr($postString,'http-equiv')) OR (stristr($postString_64,'http-equiv')) OR (stristr($postString,'alert(')) OR (stristr($postString_64,'alert(')) OR (stristr($postString,'javascript:')) OR (stristr($postString_64,'javascript:')) OR (stristr($postString,'bad_tag')) OR (stristr($postString_64,'bad_tag')) OR (stristr($postString,'onmouseover=')) OR (stristr($postString_64,'onmouseover=')) OR (stristr($postString,'document.location')) OR (stristr($postString_64,'document.location'))) {
header("Location: index.php");
die();
}

and replace it with this:

Code:

if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {
$postString = '';
foreach ($_POST as $postkey => $postvalue) {
   if ($postString > '') {
      $postString .= '&'.$postkey.'='.$postvalue;
   } else {
      $postString .= $postkey.'='.$postvalue;
   }
}
str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if ((!isset($admin) OR (isset($admin) AND !is_admin($admin))) AND (stristr($postString,'%20union%20') OR stristr($postString,'*/union/*') OR stristr($postString,' union ') OR stristr($postString_64,'%20union%20') OR stristr($postString_64,'*/union/*') OR stristr($postString_64,' union ') OR stristr($postString_64,'+union+') OR stristr($postString,'http-equiv') OR stristr($postString_64,'http-equiv') OR stristr($postString,'alert(') OR stristr($postString_64,'alert(') OR stristr($postString,'javascript:') OR stristr($postString_64,'javascript:') OR stristr($postString,'bad_tag') OR stristr($postString_64,'bad_tag') OR stristr($postString,'onmouseover=') OR stristr($postString_64,'onmouseover=') OR stristr($postString,'document.location') OR stristr($postString_64,'document.location'))) {
   header('Location: index.php');
   die();
}
}

Note that the whole thing is "wrapped" by a test for whether the user is an admin or whether sentinel exists. If so, it's not executed at all. Sentinel has it's own tests for "union".

manunkind · Posted: Fri Sep 01, 2006 8:19 pm

Thanks.