Another core file edit question

Posted: Tue Aug 29, 2006 6:06 pm

I just noticed the following in my 7.9 w/ 3.2 patched mainfile.php

Code:




$postString = "";


foreach ($_POST as $postkey => $postvalue) {


    if ($postString > "") {


     $postString .= "&".$postkey."=".$postvalue;


    } else {


     $postString .= $postkey."=".$postvalue;


    }


}


str_replace("%09", "%20", $postString);


$postString_64 = base64_decode($postString);


if ((!is_admin($admin)) AND (stristr($postString,'%20union%20')) OR (stristr($postString,'*/union/*')) OR (stristr($postString,' union ')) OR (stristr($postString_64,'%20union%20')) OR (stristr($postString_64,'*/union/*')) OR (stristr($postString_64,' union ')) OR (stristr($postString_64,'+union+')) OR (stristr($postString,'http-equiv')) OR (stristr($postString_64,'http-equiv')) OR (stristr($postString,'alert')) OR (stristr($postString_64,'alert'))) {


header("Location: index.php");


die();


}

This code is very similiar to the code that the edits for core files in NukeSentinel says to comment out in the latest 2.5.2 update. Should I comment it out? Is NS already watching for this type of stuff?

I had a heck of a time posting a news story that contained the word 'alert'. I tracked it down to this code. Confused

Thanks.

registered · Posted: Tue Aug 29, 2006 6:59 pm

You could also try "wrapping" it like this:

Code:




if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) { 


   $postString = '';


   foreach ($_POST as $postkey => $postvalue) {


      if ($postString > '') {


         $postString .= '&'.$postkey.'='.$postvalue;


      } else {


         $postString .= $postkey.'='.$postvalue;


      }


   }


   str_replace("%09", "%20", $postString);


   $postString_64 = base64_decode($postString);


   if ((!isset($admin) OR (isset($admin) AND !is_admin($admin))) AND (stristr($postString,'%20union%20') OR stristr($postString,'*/union/*') OR     stristr($postString,' union ') OR stristr($postString_64,'%20union%20') OR stristr($postString_64,'*/union/*') OR stristr($postString_64,' union ') OR stristr($postString_64,'+union+') OR stristr($postString,'http-equiv') OR stristr($postString_64,'http-equiv') OR stristr($postString,'alert(') OR stristr($postString_64,'alert(') OR stristr($postString,'javascript:') OR stristr($postString_64,'javascript:') OR stristr($postString,'bad_tag') OR stristr($postString_64,'bad_tag') OR stristr($postString,'onmouseover=') OR stristr($postString_64,'onmouseover=') OR stristr($postString,'document.location') OR stristr($postString_64,'document.location'))) {


      header('Location: index.php');


      die();


   }


}

Posted: Tue Aug 29, 2006 7:05 pm

Yeah, in the recent core edits, the instructions showed commenting out code like this, even though it already had an if (!file_exists('includes/nukesentinel.php')) around it.

I found all the places in the instructions in my mainfile, but then I noticed I had an additional chunk of code (above) that looked very similiar, but no mention of it in the instructions. Just curious. I'm assuming NS does look for union attacks, but does it handle javascript alerts (and the others)?

Are javascript alerts dangerous?

Posted: Tue Aug 29, 2006 7:20 pm

Quote:

Are javascript alerts dangerous

It can be a form of XSS attack. Essentially, one could inject some javascript code that could echo out your admin cookie (for example) in an alert box.

So, yes, it can be dangerous.

registered · Posted: Wed Aug 30, 2006 11:39 am

I recommend changing "alert" to "alert(" - that should keep the protection and not block valid word usage

Posted: Wed Aug 30, 2006 12:36 pm

Thanks.

But what about "alert (" ?

Maybe have to use a regular expression with 0 or more spaces between the alert and (.

But my question remains. If I comment out this code, does Sentinel protect against alert and http-equiv (whatever that is)? I guess I will grep the Sentinel code.

Posted: Wed Aug 30, 2006 1:41 pm

Does the space affect the usage in Javascript? I haven't tested it myself

Posted: Thu Aug 31, 2006 2:12 am

I have looked at the original code you posted and the mainfile.txt file edits and NO, the ones you posted should NOT be commented out! They are no-where to be found in the mainfile.txt core edits file....

Posted: Thu Aug 31, 2006 11:14 am

Hi -

I know they are not in the mainfile.txt core edits file. However it seems like a huge sledgehammer to reject a forum post because it contains the word union. It has already happened a few times. It seems to work okay here. Doesn't Sentinel handle union in a more intelligent way than the code I posted? I would guess so, cause I can post here, and this site runs Sentinel....right?

Assuming Sentinel handles union, then I only have to deal with alert and the http-equiv. I will probably do what evaders99 suggests for alert (but I will look into the spaces) and just leave the http-equiv check. Thats not too likely to come up in casual conversation on my board.

That is, unless someone can tell me that alert and http-equiv are already handled by Sentinel. In that case I probably could remove all of that code.

Comments?

(BTW, does anyone know what the concern with http-equiv is? I like to understand things and not just blindly carry them forward).

Posted: Thu Aug 31, 2006 11:28 am

http-equiv is used as a META tag to add HTML headers
http://vancouver-webpages.com/META/metatags.detail.html

It can do nasty or unexected stuff like refresh the page to another page, change the target window, even set cookies.

Posted: Sat Sep 02, 2006 1:53 pm

You can have spaces between the function name and opening ( in javascript.

Try this in your browser's URL/address bar:

Code:




javascript: alert          ('hi');

Posted: Wed Sep 06, 2006 12:29 pm

We're going to have to use regular expressions then to detect it. Arg

Posted: Mon Dec 25, 2006 10:56 pm

Bump.

I just upgraded to 2.5.04 (thanks team! - donation on the way).

Just to recap, 7.9 (at least) has this weird chunk of code not mentioned in the core edits section that sends you to the index.php page if your post contains union, alert, or http-equiv (see the first message in this thread).

I'm assuming Nuke Sentinel protects against this stuff already, and I can remove this troublesome bit of code. Correct?

As it stands, my users can't make forum posts with the word union or alert in them. I noticed that you can on this site. Thanks.

Posted: Tue Dec 26, 2006 12:48 am

I know union is now handled differently so that could probably be removed in mainfile. The others I'm not sure about, might be worth checking includes/nukesentinel.php to be sure.

It would be really nice to have a proper list of words or strings that NS 'blocks' in its default mode as I suspect there are a great many users that wouldn't be able to read the 'code' and work it out - and that includes me!

Posted: Tue Dec 26, 2006 2:07 pm

I could have sworn that the 2.5.03 instructions had comments in the installation instructions to remove that code in mainfile.php.

Posted: Tue Dec 26, 2006 4:41 pm

I am pretty sure that section of code is commented out in the upcoming RN2.10 release. We had a pretty extensive discussion a while back and (a) there is a bug in the logic of the code in 2.02 and prior mainfiles that essentially removes the administrative exemption and (b) Sentinel protects against the same thing. Somewhere in another thread I posted a fix to the current mainfile logic that fixes the logic ... something to do with the number of parentheses.

I believe but I am not sure and don't have the energy to verify it right now that 2.10 is proceeding based on Sentinel protecting against the same threats. But there are a couple permutations of threats discussed earlier in this thread that we might want to go back and look at.

Hangin' Around Joined: Oct 17, 2006 Posts: 25

HI
i have exact problems here..
my nuke realy patched to 3.2 and using NS 2.5,05
not update to 2.507 yet

in the intruction that say comment out both type of the code in fist two post here...
seem NS fix that problems realy .. without using code of mainfile.php
but why my forums can not post any thinh have arlert or union words ??

any help ???..
thanks