MS_Topsites triggers Sentinel

registered · Worker Joined: Oct 07, 2003 Posts: 211

Clicking on the link to report suspected cheating bans the user. Here's the email:

Code:

User Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)


Query String: www.website.com/modules.php?name=MS_TopSites&file=stats&op=MSTopSitesCheat&id=5&sname=Website Name&surl=http://www.website.com


Get String: www.website.com/modules.php?name=MS_TopSites&file=stats&op=MSTopSitesCheat&id=5&sname=Website Name&surl=http://www.website.com


Post String: www.website.com/modules.php Forwarded For: none

I checked this myself and it does ban the user. I know the problem is in the "&surl=http://" section of the code.

I guess what I am asking here is if I can keep adding modules to the XSS attack in the following manner:

Code:

// Check for XSS attack 


  if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath) 


  // Added protection for gallery2 module 


  //OR stristr($nsnst_const['query_string'], "http://") 


  OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery2")) 


  // END gallery2 protection 


// ADD MS Topsites protection


OR ( stristr($nsnst_const['query_string'], "http://")  AND !stristr($nsnst_const['query_string'], "modules.php?name=MS_TopSites")) 


// END MS Topsites protection


  OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") ) 


  OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") ) 


  OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) { 


    block_ip($blocker_row); 


  } 


}

Is it OK to just keep adding modules as they are needed?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Looks like it's trying VERY hard to prevent more than just XSS. I guess you can keep adding...

registered · Posted: Sun Jul 16, 2006 11:17 pm

Now does MS_Topsites need to be passing the full URL at all? It would be best to rewrite it if possible using ID numbers

Posted: Mon Jul 17, 2006 4:54 am

To clarify, I think evaders99 means to change MS_Topsites.

Sells PC To Pay For Divorce Joined: Posts: 5661

lol....but http://majestic12.co.uk/bot.php isnt a user..
thats a very annoying bot .
however the banning part does happen....last week a member got banned after rating a site...

Regular Joined: Nov 03, 2007 Posts: 52 Location: Nagalim

persona_non_grata wrote:

lol....but http://majestic12.co.uk/bot.php isnt a user..
thats a very annoying bot .
however the banning part does happen....last week a member got banned after rating a site...

LOL I don't know whether it is a good bot or a bad bot...but i guess NukeSentinel doesn't like it. Getting banned emails everyday. Rolling Eyes

[code]Date & Time: 2007-12-28 08:40:06 CST GMT -0600
Blocked IP: 125.232.93.24
User ID: Visitor (1)
Reason: Abuse-Script
--------------------
User Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
Query String:
www.mywebsite.com/modules.php?name=Video_Stream&page=broken&id=28&vidname=Ruokuovotuo:-Home-(Naga-Idol-2.07-Contestant)
Get String:
www.nmywebsite.com/modules.php?name=Video_Stream&page=broken&id=28&vidname=Ruokuovotuo:-Home-(Naga-Idol-2.07-Contestant)
Post String: mywebsite.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 125.232.93.24
Remote Port: 3853
Request Method: GET
--------------------
Who-Is for IP
[code]

Posted: Sat Dec 29, 2007 2:49 am

That is because you are using parenthesis in the video name. Just remove those parenthesis.

This also happens on the Downloads module

Posted: Sun Dec 30, 2007 6:19 am

Oh thank you so much evaders99 Smile

I will check that out:)