Filter System is Banning Admins

registered · Posted: Thu Jun 29, 2006 7:10 pm

Hello everybody,

I just wanted to report that NukeSentinel is banning legitimate Admin functions. For example, today somebody submitted a download and I went to visit the homepage and got banned. The Nuke Administration Panel sends you to a URL like this:

Code:

http://www.domain.com/index.html?url=http://www.domain.com/

NukeSentinel is great and I wouldn't run without it, but can we lighten it up a bit for legitimate Admin functions?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Which download module are you using?

Posted: Thu Jun 29, 2006 9:14 pm

Just the basic 7.6 Nuke module for now. This is in the Admin area though.

When somebody submits a Download, nuke gives you a link to download the file yourself and visit the homepage. These links are in the above format and NukeSentinel bans you for it.

Posted: Thu Jun 29, 2006 9:21 pm

sounds like u have gt installed but not properly functioning with the downloads module.

Posted: Thu Jun 29, 2006 9:25 pm

I run Googlifier, but nothing in the Admin area is "Rewrote". This is standard Nuke code.

Posted: Thu Jun 29, 2006 9:30 pm

Then thats the issue I think, same thing as getting rid of the sid in forums, but others have far more expertise then I as I have never delt with gt or anything like it.

Posted: Fri Jun 30, 2006 5:37 am

I don't think this has anything to do with mod_rewrite. Here is the Nuke code from the admin file in the Downloads module:

File Check:

Code:

."" . _FILEURL . ": <input type=\"text\" name=\"url\" value=\"$url\" size=\"50\" maxlength=\"100\">&nbsp;[ <a href=\"index.php?url=$url\" target=\"_blank\">" . _CHECK . "</a> ]<br>"

Visit link:

Code:

."" . _HOMEPAGE . ": <input type=\"text\" name=\"homepage\" size=\"30\" maxlength=\"200\" value=\"http://$homepage\"> [ <a href=\"index.php?url=http://$homepage\">" . _VISIT . "</a> ]<br>";

Nuke writes these links in the above format and NukeSentinel will ban you for it.

Posted: Fri Jun 30, 2006 3:17 pm

hmm, I'm gonna need to test my 7.6 on my test site and see what I come up with.

I'm curious if this hasent been updated with the latest patch.

Sells PC To Pay For Divorce Joined: Posts: 5661

does it change anything if you give the _VISIT a target like _CHECK ?

Posted: Sat Jul 01, 2006 6:25 am

No, both links ban me.

Theme Guru Joined: Nov 01, 2003 Posts: 1006

the same thing happens on sites that use nukewrap. I have had to disable the filter on those sites because of the constant ban of admins and regular users.

Posted: Sat Jul 01, 2006 7:22 am

so it looks like sentinel thinks the visited website address is hitting the admin area.
if im explaining it correctly...

Posted: Sat Jul 01, 2006 7:30 am

it seems to have an issue with http being in the strings.

http://www.domain.com/index.html?url=http://www.domain.com/

nuke wrap does the same kind of thing and it blocks you right away. It is the http after the url= that is the issue. There is no way around it if you use nukewrap or some other functions like mentioned in this post. I hope that a solution is found as I am sure disabing filter cannot be the best choice lmao.

Posted: Sat Jul 01, 2006 10:41 am

thats right, the http in the string will trigger sentinel, I'd recomend that you change to nsn downloads which wont put an http in your string. From my understanding, some possible hacks use an outside resource to difne things like modules.php?name=http

I'm positive they have implimented this to stop this form of attack and therefore I wouldnt recomend disabling it. NSN downloads has not triggered sentinel on my site at all and I think this would help you.

Posted: Sat Jul 01, 2006 3:10 pm

situations could easely vary for others.
this never happend to me,not with the downloads module.
i do use a different one but before that it never happend nor on the sites i maintain,as far as i know of anyway..

registered · Posted: Wed Jul 05, 2006 8:56 pm

Yes, it is definitely the "http" in the query string. I am not certain if NSN Downloads uses this in validation of external links. None of the download modules have an issue with links that are internal to the nuke site that I am aware of.

BTW, this additional security was placed into NS2.4.2pl9 to help stop the various phpBB exploits giong around.

It should probably be "loosened up a bit" for the admins at least.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

It was there before pl9. We started blocking http quite a while ago, if I remember correctly. It may have been lifted at some point and then put back in, but this is just one of the cases where NukeSentinel(tm) is overly cautious. In cases like these it is virtually impossible to work around it. It's an all or nothing situation. However, if you're a protected admin, you shouldn't be having the problem. Protected admins should never be banned nor caught in the blocker sections.

Posted: Thu Jul 06, 2006 7:02 am

I am a protected Admin and I get (sort of) banned. In other words I get the banned page just like anybody would but it doesn't store my ip in the database of blocked ips and it doesn't write to the .htaccess. But I do get the banned page.

If it truely worked like Raven's last sentence above, it would work perfectly the way it should. But as of right now, Admins can still trigger it and get the banned page.

Posted: Thu Jul 06, 2006 8:39 am

manunkind wrote:

I am a protected Admin and I get (sort of) banned. In other words I get the banned page just like anybody would but it doesn't store my ip in the database of blocked ips and it doesn't write to the .htaccess. But I do get the banned page.

If it truely worked like Raven's last sentence above, it would work perfectly the way it should. But as of right now, Admins can still trigger it and get the banned page.

We purposely did it that way to be sure the ban was working while at the same time protecting the admin. Otherwise you have no [easy] way of "testing".

Posted: Thu Jul 06, 2006 6:32 pm

Ahh ok. I see the logic in that.

Posted: Thu Jul 06, 2006 10:49 pm

Ah, me too... now... Wink