Important Security Bug/Fix

registered · Posted: Tue Sep 25, 2007 10:26 am

There is an advisory out for Sentinel. The problem is with the admin code in nsbypass.

includes/nsbypass.php

Code:

 $a_aid = "$abadmin[0]";


$a_pas = "$abadmin[1]";

Should probably be:

Code:

 $a_aid = FixQuotes($abadmin[0]);


$a_pas = FixQuotes($abadmin[1]);

I am unsure why the decision was made to reinvent the is_admin function as you could just use that instead since your already including the mainfile.

If you wanted to really be tougher you could just look for ' or " and stop right there.

I choose to just use the is_admin function and strip all that out, but I figure might as well pass the fix for the code as it is.

registered · Posted: Tue Sep 25, 2007 11:53 am

Thanks technocrat.

This is sort of related to another discussion, but why wouldn't you use addslashes() vs. FixQuotes()? I am not sure what the history or purpose of FixQuotes is.

Posted: Tue Sep 25, 2007 11:59 am

Actually technically neither one of those is correct per say.

The more effective way is to use mysql_escape_string/mysql_real_escape_string or the correct function depending on the db used. Which is the way FixQuotes is in Evo. I kind of thought that's the way it is in RN but it appears I am wrong. Probably be safer with addslashes in this case.

registered · Posted: Tue Sep 25, 2007 3:18 pm

Thanxs - I'm looking out for these issues in Sentinel. Glad you found some more, if Bob hasn't been emailed, I'll email him

Posted: Tue Sep 25, 2007 3:22 pm

Waraxe gets the credit he found it.

I did right after the advisory was posted.

Posted: Tue Sep 25, 2007 3:51 pm

Fixed in 2.5.12

Posted: Tue Sep 25, 2007 8:52 pm

technocrat wrote:

Fixed in 2.5.12

Yes, looks like Bob has it in the downloads section on nukescripts.net.

Posted: Wed Sep 26, 2007 9:14 am

Does anyone really understand what nsbypass.php is used for? I just did a search of my entire ravennuke directory and the only place the string nsbypass is found is in ABTrackedRefers.php.

Also, nsbypass includes mainfile.php which reads in the config table and sticks the field nukeurl into the variable $nukeurl. So why can't nsbypass use $nukeurl instead of reading in * from the config table and then only using nukeurl again.

Or maybe tell me if I'm wrong. You've gotten yourself into the display tracked refers(sp) screen. You should be an admin to get there no? The program goes out to the tracked_ips table and finds the referer (tid). A list is built up. If you click on a referer link the href sends you off to nsbypass where you are validated as an admin all over again. If you pass then we read the tracked_ip table again and take you to the link. If you fail the admin test then the read of the authors table will turn up a zero result for you and you'll be taken back to the nukeurl ... which is index.php.

Am I missing something or is this an excess of caution?

Posted: Wed Sep 26, 2007 9:34 am

It's so you can view referred URLs without giving them a referral on their site I guess.