| Author |
Message |
lpiacono
New Member
Joined: Jul 20, 2006
Posts: 7
|
 Posted:
Thu Jul 20, 2006 1:02 am |
|
Hello all,
This is my frist post. I hope it is in the right place.
I have searched the forum for an answer to these questions, and although there might be an answer to the question somewhere in here, I either did not find it, or for some reason decided not to follow it because I believe it wasn't right for me.
The first issue I have is related to "triggers" Nuke Sentinel is aparently Blocking.
In my rwsRavenNuke76_v2.02.02_FULL website, I mainly use the content module to post many articles and information for my visitors. I really don't use any other module.
Having said that, I usually post the content in HTML format. Sometimes I include Javas cript popups in the HTML code which open small html files with more information on an page.
An example of what I am talking about can be found here:
[ Only registered users can see links on this board! Get registered or login! ]
Now as you can see, it has two buttons which invocke a Popup Javas-cript.
These Javas-cripts are inside the Head Tags.
You might be asking yourself how I could post this without Nuke Sentinel stopping me. Well this was posted on the website using a previous version of PHPNuke. We then updated to your beautifull release, and just migrated the old DB to the new raven release.
Now, heres the problem. I need to modify the links in that code. When I try to, I am guessing Nuke Sentinel won't allow the update because of the code I am trying to "post", which includes those illegal triggers.
I read a possible solution in your FAQ stating to replace a character in the trigger for a ASCI characters ...
[ Only registered users can see links on this board! Get registered or login! ]
Three questions, for this solution:
1. Out of all that code, which words are triggering Nuke Sentinel? That is which words do I have to replace?
2. If I can in fact post in ASCI to be able to upload "trigger" words and its in essence the same code, and everything will continue to work, why wouldn't a hacker, or whatever, use this method to bypass Nuke Sentinel (probably a noob question, but thats what I am) ...?
3. Is there any way to disable Nuke Sentinel temporarily while I update just a few pages, to then re-enable it after updates are succesfull?
I found that I can comment the includes that refrences to Nuke Sentinle in mainfile.php to disable it, but is there any other, non time consumig way?
For the moment, I am updating the code directly through phpMyAdmin, editing the table and modifying the code that way. Although this may seem a solution, several other people that post information cannot be given the SQL password. They can only use a Admin account to post through the content module.
Any ideas?
-----
As for the small question, I was having problems logging out of the GOD admin account. It would basiclly re log me in everytime I wanted to log out.
I found this solution, and it works great! -> [ Only registered users can see links on this board! Get registered or login! ]
I was wondering if anyone could please explain the difference between the original case, and the modified case which seems to now work.
Original:
| Quote: | case "logout":
setcookie("admin", false);
$admin = "";
include("header.php");
OpenTable();
echo "<center><font class=\"title\"><b>"._YOUARELOGGEDOUT."</b></font></center>";
CloseTable();
Header("Refresh: 3; url=".$admin_file.".php");
include("footer.php");
break; */ |
Modified:
| Quote: | case "logout":
setcookie("admin", false); // Sec Fix see phpnuke.org
$admin = "";
include("header.php");
OpenTable();
echo "<center><font class=\"title\"><b>"._YOUARELOGGEDOUT."</b></font></center>";
CloseTable();
// Changed redirect to index instead of admin.php
echo "<META HTTP-EQUIV=\"refresh\" content=\"3;URL=./index.php\">";
include("footer.php");
break; |
|
| |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Jul 20, 2006 7:27 am |
|
First of all, welcome to RavenPHPScripts!
Second, in the future, please separate your posts into clearly defined topics rather than asking non-related questions. Just helps the flow better once we get into the responses and helps others to find these threads for similar problems.
With regards to the following:
| Quote: |
Is there any way to disable Nuke Sentinel temporarily while I update just a few pages, to then re-enable it after updates are succesfull?
|
This is now possible with NukeSentinel 2.5.0 just released. This will come integrated into the next release of RavenNuke, but that is still aways out... so you may want to upgrade now if you need that capability.
Regarding all the "triggers", there are just too many different blockers to go through that. However, if interested, all the blocker code (triggers) is in includes/nukesentinel.php.
Regarding your last question, all I can say is that the second bit of code is more widely accepted method for a wider population of browsers. |
_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
lpiacono
|
| Posted:
Thu Jul 20, 2006 11:10 am |
|
Thank you.
About posting two questions in one topic, you are absolutly right. I should of done that. It was late at night and that small detail, which was clearly listed in the rules, sort of slipped away from my mind there.
I appreciate your reply, and understand everything. I could wait until the next version of Raven comes out. Will it bring and update pack to go from my version to the new version? |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Thu Jul 20, 2006 12:27 pm |
|
I've just been looking at some of the triggers as part of dealing with another problem so I'll post here the information you are looking for (or some of it). Besides nuke sentinel there are some filters in mainfile that check post strings. Here's the code and you can see what affects Javascript:
Code:if ((!isset($admin) OR (isset($admin) AND !is_admin($admin))) AND (stristr($postString,'%20union%20')) OR (stristr($postString,'*/union/*')) OR (stristr($postString,' union ')) OR (stristr($postString_64,'%20union%20')) OR (stristr($postString_64,'*/union/*')) OR (stristr($postString_64,' union ')) OR (stristr($postString_64,'+union+')) OR (stristr($postString,'http-equiv')) OR (stristr($postString_64,'http-equiv')) OR (stristr($postString,'alert(')) OR (stristr($postString_64,'alert(')) OR (stristr($postString,'javascript:')) OR (stristr($postString_64,'javascript:')) OR (stristr($postString,'bad_tag')) OR (stristr($postString_64,'bad_tag')) OR (stristr($postString,'onmouseover=')) OR (stristr($postString_64,'onmouseover=')) OR (stristr($postString,'document.location')) OR (stristr($postString_64,'document.location'))) {
header('Location: index.php');
die();
|
Sentinel checks separately for uni0n attacks and other post strings and here's the section for post strings:
Code: foreach($_POST as $secvalue) {
if((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
//(eregi("\.\./", $secvalue)) ||
(eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
block_ip($blocker_row);
|
I believe that you might be able to accomplish what you want by going into Sentinel Administration and turning off the Scripting blocker settings temporarily. |
| |
|
|
|
|
lpiacono
|
| Posted:
Thu Jul 20, 2006 1:00 pm |
|
Thank you again for the very nice reply. I really do appreciate it.
I tried setting off the scripting blocker, but as I expected it still isn't letting me make the modification.
The problem is that I am not able to identify if it is Sentinel that keeps blocking me from updating or if it is the mainfile looking for the illegal strings ... (which I recall didn't allow me to post text with the word uni0n in the past, but never had problems with javas-cript or other) ...
So it is either still Sentinel, even with script blocking disabled or the mainfile which still block the update ...
I'll read a little through the files and see what I can get. For now I will continue to modify the pages using SQL viewer myphpadmin, editing the table directly.
Thanks for everything. If you guys have any more tips they will be appreciated. I will post as soon as I have an update.
Thanks! |
| |
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Jul 20, 2006 1:21 pm |
|
with the latest sentinel, I believe the union code has been removed from the mainfile and inserted into the sentinel files, I believe the upgrade has a core edits to make and one is to comment out the union blocker.
Exactly what happens when you try to enter the popup code?
Also be careful not to use the same javascript function twice or at the same time, This will stop one from being used.
As for the admin logout, I have found that code works because it redirects you to a different part of the site, then when you go into admin, It forces your browser to refresh and not use its last cookie, The alternative would be to set your browser to check for new cookies always, that way it doesnt use the old cookies when header refresh is called(IMO). That actually fixed my problem, wasnt nuke at all, My browser. |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
  
  |
|
lpiacono
|
| Posted:
Thu Jul 20, 2006 2:54 pm |
|
Darklord,
Thank you for your reply. Honestly, and this goes for everyone, I have never been helped out so much and so quickly on these type of matters.
Going back to my issue, when I try to enter the popup code, since I have several triggers such as <sc-ript> and <Javas-cript>, I am automaticly taken to index.php and updates aren't done.
It would be interesting to see if I could use the new sentinel to at least de-activate this function while I am updating the code, and then re-activate it once the page is in production again to secure my website, because I in no way plan to disable the function.
I just need to edit many pages to update links, since I installed the new raven pack in a seperate root directory.
Modifying all these pages through SQL is possible but tedious. If I could just disable the protection for a few minutes I could do this so easily. then I could reactivate the protection which is necesary in our case.
As for the small question concerning the logout. I imagined it had to do with the browser. Problem is that we have a many admins. I cannot trust them with there settings and just how responsible they are.
That is why this code saves me from having to trust them.
Now what I cannot seem to understand is just how redirecting to another page on the site makes a difference?
Only when I am not redirected to admin.php - the cookie expires? Why wouldn;t the cookie expire right after I logout? |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Thu Jul 20, 2006 3:11 pm |
|
| Quote: | | Only when I am not redirected to admin.php - the cookie expires? Why wouldn;t the cookie expire right after I logout? |
- because it requires a refresh of the browser to unset the cookie I believe. Sometimes, depending on the browser etc etc refreshing the same page does not always clear it and as far as I am aware, when you log out of admin it should refresh to the site index.php and not to the admin.php - I must confess I never log out so I havent done that for a while. |
| |
|
|
|
|
fkelly
|
| Posted:
Thu Jul 20, 2006 3:17 pm |
|
I was doing a view source on your page and saw the scr_pt in there and I'd bet that's what's triggering the rejection. I think it's for good reason that Sentinel doesn't want to allow the scr_pt tag but obviously you need to override it.
I have a test site set up that runs diagnostics and if you can email me the text that you are trying to insert as content I can at least see where this is getting triggered ... mainfile versus sentinel.
I'm pm'ng the email if you want to try that. |
| |
|
|
|
|
lpiacono
|
| Posted:
Fri Jul 21, 2006 12:23 pm |
|
OK ...
Thank you for all your replies. Real quick, I sent off the email, so again I would appreciate if you could infact confirm if its the mainfile or Sentinel or both to that matter.
Now, I would appreciate if someone could confirm the following quote:
| Quote: | | with the latest sentinel, I believe the union code has been removed from the mainfile and inserted into the sentinel files, I believe the upgrade has a core edits to make and one is to comment out the union blocker. |
That would be great. I would just update to sentinel which has the new Temp Disable option (right?), and then turn it off for a while, update everything and turn it back on.
As for the login/logout issue, the new code was working for a while, but I am afraid it isn't working any longer, for some odd reason. Honestly, it beats me why it ain't working.
I worry about this matter alot because the problem is that several admins access the admin area from different computers at different locations.
This translates to the cookie not expiring on those PCs and the next person to "open" the website on that PC (non-admin user), having administrative privliages.
For now, the website is still being modified (in test fase), so no one else but admins has access. But I cannot allow this to happen once we go live. Any other suggestions? Perhaps modify the cookie timeout? or some other setting to make it more restrictive?
I cannot deal with setting up browser settings because I cannot trust the other admins will actually sit down, even if it takes 2 minutes, to setup the browser where they are working at. They simply won't.
This is why I asked this question, I knew it was going to bring more complications in the future.
Any suggestions will be appreciated.
Thanks! |
| |
|
|
|
|
fkelly
|
| Posted:
Fri Jul 21, 2006 2:15 pm |
|
I can't reply to what's in the latest Sentinel because I haven't looked at that. I do know that the version of mainfile that's currently "active" for the next release has the union and post and get checking in it that overlaps (somewhat) with Sentinel. Whether that will be changed is not my decision but I can say it is a complicated set of work with a lot of implications and is not something that will be "rushed".
I've tried to look at how your content is incorporated in a content page. I've been trying a couple versions of mainfile on my test site and I've been able to get the content loaded with all of them. You can look at http://fkelly.org and down at the content in the center bottom of the page.
Obviously I'm missing something about how you are putting this stuff into the content box or how you are trying. Can you provide me step by step instructions on what you are doing ... go to the content editor and copy and paste the text in or what? I have echoes and other traps in sentinel and mainfile to tell me where the problem is happening but I can't reproduce it immediately. |
| |
|
|
|
|
lpiacono
|
| Posted:
Fri Jul 21, 2006 2:40 pm |
|
I just simply paste the code I sent you via email into a new page in a new category in the content module.
Is that what you are asking me for? |
| |
|
|
|
|
fkelly
|
| Posted:
Fri Jul 21, 2006 3:43 pm |
|
Yes, that's what I was asking.
You can see the page that I copied in on my site. If you look at view source you will see that everything has been "htmlentitied" ... that is there are no Scr_pt or other commands remaining really. Then if you look at the page on your site you will see it's not htmlentitied. I'm thinking that one difference may be that I'm using the wysiwyg editor and you are not? Therefore my codes are being "escaped" while yours are not?
I realize that this doesn't solve your problem and I'm not sure how you'd go about getting those codes out there with the wysiwyg editor. I'm not even positive that's the source of the problem but I will keep looking as time permits (and that's going to be limited over the next few days). |
| |
|
|
|
|
lpiacono
|
| Posted:
Mon Jul 24, 2006 2:56 pm |
|
Well,
There is a small update. We have decided that until the Ravenphpscripts doesn;t release the udpate, I will continue to manually edit everything through SQL.
New pages that need popup windows will be replaced with a simple <a href="" target="_blank"> tag ... to open in a new window.
However, to my amaze ... after deciding this, a co-worker of mine happened to send me an email about a line of code he is currently using. He works on Flash animation of the website and uses a special script that disables the small ActiveX Box Warning that comes with latest Flash Players that is intended to, in some way, stop ActiveX apps from running without user confirmation.
Its that annoying Gray Box that appears around the Flash Animations that requires you click the box before being able to interact with the flash animation.
Anyways, heres the line he uses:
| Quote: |
<sc-ript type="text/javas-cript" src="MOD/dactivex/ieupdate.j-s"></sc-ript>
|
The line obviously does not have the "-".
Now, where am I going with this? He can post this up on any page, in any part of my website without a problem. But as soon as we add some of the other code I am having trouble with, we get the error.
This small peice of code, however, goes through sentinel and phpnuke mainfile protection without a problem.
Any suggestions?
Any reason?
Anyone think there is a serious problem either with my install of PHPNuke or something? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
