Sentinel blocking users only, on link to custom Feedback mod

Posted: Thu Jan 17, 2008 4:46 am

Hi ...
We (our club webteam) are having a problem with regular users accessing our modified Feedback module. The link works fine if one is logged in as admin, but throws an unknown sentinel block if one is either a visitor or registered user.

name=FeedbackX&selector=contactExec

and the html looks like this:
The Executive Directors can be contacted as a group <a href="http://....org/modules.php?name=FeedbackX&selector=contactExec">here </a>

Any ideas why this is happening? Might this have something to do with the Exe string? If so, is there a way I can allow exec???

You have been blocked from entering this site.

You have attempted an unknown access point on this site.

All of the following information has been gathered to assist the webmaster in resolving this issue.

If you think this is a mistake you can contact the site webmaster at ....

Be SURE to include the following information in any email!
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Query String: name=FeedbackX&selector=contactExec
GET String: name=FeedbackX&selector=contactExec
POST String:
Referer: none
Request Method: GET
Remote Address: xx.xx.xx.xxx
Client IP: none
Forwarded For: none
Date Blocked: 2008-01-17 @ 02:29:18 PST GMT -0800
Block expires: Permanent

registered · Posted: Thu Jan 17, 2008 8:10 am

Pretty sure its the "exec" part. Your admin may be under the protected IP range

Posted: Thu Jan 17, 2008 9:45 am

Yup, there is a specific check for the string 'exec'

Posted: Thu Jan 17, 2008 11:12 am

Thanks ... I suspected that Exec string ... it was changed and all is working as it should.

Is there a list of exclusions in one of the Sentinel files?

Posted: Thu Jan 17, 2008 11:26 am

And just to be a bit more specific the actual line of code that's probably getting you comes in the XSS attacks section:

[code] OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") ) [code]

So, you can see that there was some attempt to exempt the word "executive" while capturing the word "exec" by itself. Short term maybe you could change your magic selector word? Or you could comment that line out in NukeSentinel.php in your /includes directory. Or you could create an extra AND condition to allow for "contactExec". AND of course you could remember to put that back in next time there's a Sentinel update.

Posted: Thu Jan 17, 2008 12:57 pm

Just wondering as I walked back with the groceries, could we not just filter for the string " exec "? That's with a space before and after the four letters of exec. Is there a way an attacker could execute an attack without having a space before and after that word?

Posted: Thu Jan 17, 2008 4:41 pm

I'm not following you. Why would you want to exclude it from the filter if it has a space before or aft? It wouldn't be a valid url or or function call with space would it?

Posted: Thu Jan 17, 2008 5:52 pm

I think we are having a problem with the nomenclature. What the current code is saying (and correct me if I'm wrong) is if the string "exec" is in the query string and the query string does not contain the string "execu" (which I take it is part of execution, executive and other legitimate words that we don't want to block) then block the string.

This is part of a section of code that seeks to block XSS attacks. It also blocks cmd=

I am just saying that if we blocked any string that had " exec " in it (with the space before and after, we'd catch all the bad guys and we wouldn't run into situations like the one Codyg started this thread with. At least that's my proposal but I know there are others here who know much more about these kinds of attacks and I just wanted to float the idea out. If it floats here we can send it on to Bob Marion for his consideration.