Valid String triggers sentinel

Dauthus · Worker Joined: Oct 07, 2003 Posts: 211

I have the gallery2 module running in my Nuke 7.6 pl 3.1 site. For some reason when I try and add an image to my albums, I am triggering sentinel as attempting to bypass the Filter System on the site

The string is as follows:

Only registered users can see links on this board!
Get registered or login to the forums!

Right now, sentinel won't allow members to upload images to their albums. Any suggestions for a possible fix for this?

gregexp · Posted: Sun Jun 25, 2006 10:37 pm

I think this is one of the functionalities of sentinel and to edit or disable this would leave your site wide open to an attack.

montego · Posted: Mon Jun 26, 2006 9:24 am

The internal "http://" value in your query string is what has tripped this. I just wish Gallery wouldn't do this! I do not understand why they needed to architect it this way.

If you open up your includes/nukesentinel.php script, look for the following code:

Code:

// Check for XSS attack
if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)

The line right below this last line in your pl9 version of NS has a specific OR statement to look for http anywhere within the query string. You can, at your own risk, comment that line out.

You could play around with this and may add a check for name=Gallery2 in there so that you are still protected with this line outside of Gallery2.

technocrat · Posted: Mon Jun 26, 2006 9:45 am

Untested, but it should work:

Replace all this:

Code:

eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
OR eregi("http\:\/\/", $ublock) OR eregi("http\:\/\/", $phpbb_root_path)

With:

Code:

(eregi("http\:\/\/", $nsnst_const['query_string']) AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2"))

Dauthus · Worker Joined: Oct 07, 2003 Posts: 211

Thanks for all the help.

technocrat, I don't have the

Code:

OR eregi("http\:\/\/", $ublock) OR eregi("http\:\/\/", $phpbb_root_path)

in my version of sentinel.php. (pl9)

I am going to try and add the gallery2 module in there somewhere with a NOT operator and see what happens.

Dauthus · Worker Joined: Oct 07, 2003 Posts: 211

Ok, here's what I ended up doing. I would appreciate it if the experts here would check it and make sure I didn't screw up anything. I did check it and it works. I can upload images fine. I also checked the XSS by clicking on a referrer link in the admin and still ended up being banned, so I think it only allows the gallery2 module.

This is pretty much using technocrat's suggestion and montego's input.

Code:

// Check for XSS attack
if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
// Added protection for gallery2 module
//OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "http://") AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2"))
// END gallery2 protection
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}

Thanks for any and all help.

technocrat · Posted: Mon Jun 26, 2006 12:54 pm

That should work all you need to do is test it
modules.php?name=http://
modules/Forums/admin/index.php?phpbb_root_path=http://
Should both trigger sentinel

gregexp · Posted: Mon Jun 26, 2006 4:40 pm

Tech, I tried the phpbb link and I just got an illegal operation, the other one I just simply got banned(this one is ok I think)

Is this how its supposed to occur?

technocrat · Posted: Mon Jun 26, 2006 4:50 pm

You should be getting banned and if you are not then you have a problem.

I changed it to an eregi for a test and it worked fine with everything so here is what I have:

Code:

if ((eregi("http\:\/\/", $nsnst_const['query_string']) && !stristr($nsnst_const['query_string'], "modules.php?name=gallery2")) OR
(stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd")) OR
(stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu")) OR
stristr($nsnst_const['query_string'],"concat") AND
!stristr($nsnst_const['query_string'], "../")) {

gregexp · Posted: Mon Jun 26, 2006 5:00 pm

actually..I didnt get banned at all..just blocked

technocrat · Posted: Mon Jun 26, 2006 5:01 pm

I thought about it and found that this would be much safer:

Code:

if ((eregi("http\:\/\/", $nsnst_const['query_string']) && substr($nsnst_const['query_string'],0,strlen("name=gallery2")) != 'name=gallery2') OR
(stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd")) OR
(stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu")) OR
stristr($nsnst_const['query_string'],"concat") AND
!stristr($nsnst_const['query_string'], "../")) {

technocrat · Posted: Mon Jun 26, 2006 5:02 pm

darklord wrote:

actually..I didnt get banned at all..just blocked

You get the sentinel message or the actual forum admin not working?

gregexp · Posted: Mon Jun 26, 2006 5:13 pm

it says unknown blocker duration...now this is wierd

gregexp · Posted: Mon Jun 26, 2006 5:17 pm

niether are working now...i dont get blocked by the filter

gregexp · Posted: Mon Jun 26, 2006 5:31 pm

anything else u can throw my way to help me test this blocker?

technocrat · Posted: Mon Jun 26, 2006 5:39 pm

That should be working. Did you turn off the filter blocker? Are you sure you coppied the if statement correctly? Is everything else in Sentinel working?

gregexp · Posted: Mon Jun 26, 2006 5:51 pm

After checkin the server Bang Head

I found that its being attacked and simply may not be able to write to the database. Curious why it isnt writing it to .htaccess though. I will continue to monitor and see if this is the case or if any edits need to be made, perhaps its my server.

And yes I copied it all correct and not sure if anything else is working because I'm not too sure what will trip sentinel's blockers, Yes they are active.

Dauthus · Worker Joined: Oct 07, 2003 Posts: 211

technocrat wrote:

That should work all you need to do is test it
modules.php?name=http://
modules/Forums/admin/index.php?phpbb_root_path=http://
Should both trigger sentinel

Just for reference the first link triggered the Filter Abuse, the second just gave me an illegal operation also.

The only change that has ever been made to the sentinel install is the one listed above.

I tried the same links with a virgin sentinel (pl9) install and it came up with the exact same thing.

technocrat · Posted: Tue Jun 27, 2006 10:35 am

There was a problem with the upgrade and the full version not matching when it first came out.

Here is the default if as it is right now:

Code:

// Check for XSS attack
if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {

stristr($nsnst_const['query_string'], "http://") Should be catching the phpbb hack

Dauthus · Worker Joined: Oct 07, 2003 Posts: 211

That's what I was saying. The code you just posted is what I have in my virgin nukesentinel.php file. The web page is kicked back with an "illegal operation" message. It doesn't trigger sentinel.

montego · Posted: Tue Jun 27, 2006 8:56 pm

Actually, I had a really long response already typed up when I looked back above in the original hack test attempts. The second hack attempt bypasses NS because mainfile.php is not included. It is a direct access hack attempt.

technocrat · Posted: Wed Jun 28, 2006 9:46 am

It should be index.php->pagestart.php->mainfile.php->nukesentinel.php

montego · Posted: Thu Jun 29, 2006 6:41 am

You are correct technocrat (should have known that!). Ok, that is not good...

technocrat · Posted: Thu Jun 29, 2006 7:19 am

No its not, it's a bit concerning Sad

But as long as you have something over writing phpbb_root_path RIGHT AFTER the mainfile include the hack will not work. But it is important to try and track down the reason Sentinel is not protecting you.

gregexp · Posted: Thu Jun 29, 2006 5:45 pm

uhh, I did a fresh install of sentinel. and tested it again and its still not working like your saying but everything else in sentinel works just fine, except the forums, </scr ipt> is allowed in my forums, and it seems this is also and man im gettin worried, I cant see it being a problem with the mainfile edits as it works with every other part of my site.

Any ideas?