| Author |
Message |
AndyB
Worker
Joined: Jun 03, 2004
Posts: 231
Location: Torrevieja, Spain
|
 Posted:
Sat Feb 10, 2007 1:49 pm |
|
hi guys;
Nuke 7.6
Chatserve patch 3.3
Dis Errors
Gallery 1.1.5 pl1
Sentinel 2.5.01
I've got the two running together, gallery shows as a module and works ok, etc. BUT when a user tries to rename an album (not sure if anything else) it bans the user. Admins cannot rename an album (the directory on the server- although Sentinel doesn't ban them)
I've just spotted there's a Sentinel update available- which I will endeavour to do tomorrow.
I've done searches on hereetc. but you use google for searches (not good in my experience- you can't select which forum to search in, just the whole site)
I'm sure I've had something similar to this in the past... any ideas?
The message from Sentinel is this:
Code:Blocked IP: 217.208.xx.xxx
User: <removed by me>
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Blocked on: 2007-02-09 13:17:18
Notes: Added by NukeSentinel(tm)
Reason: Abuse-Filter
Query String:
Get String:
Post String:
Forwarded For: none
Client IP: none
Remote Address: 217.208.xx.xxx
Remote Port: 1891
Request Method: GET
Query String: /modules.php?parentName=audioc&return=modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Get String: /modules.php?parentName=audioc&return=/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Post String: /modules.php
|
've removed the website URL deliberately.....
User tries to create an album- blocks him
While searching on here, I found something that may have helped:-
http://www.ravenphpscripts.com/postt10177.html presumably from the fixes instigated by Chatserv?
Code:// Check for XSS attack
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin'])) {
if( eregi("http\:\/\/", $name) OR eregi("http\:\/\/", $file) OR eregi("http\:\/\/", $libpath)
// Added protection for gallery2 module
//OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "http://") AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery"))
// END gallery protection
// OR stristr($nsnst_const['query_string'], "http://") rem by Andy
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
|
I know the fix was for Gallery2- I edited to try to work with Gallery1. It didn't work though- it still banned the user....
Any comments/ suggestions welcome! |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sun Feb 11, 2007 10:20 am |
|
We're not ignoring you - we just don't have any answers for you. I don't use Gallery so I don't even have a test bed to try this on. Hopefully there are other users out there that can try this as I know there are many that run NukeSentinel(tm) and Gallery. |
| |
|
|
|
|
AndyB
|
| Posted:
Sun Feb 11, 2007 12:23 pm |
|
Ok- thanks Raven;
I didn't know if it was something that affected other modules in a similar way also. (There were over 10,000 photos on the site, btw)
I've no objection to trying different bits of code- I've got one of the site's regular users who is happy for us to keep trying stuff- and him getting banned/ me unbanning him regularly 
I would have thought that this was a faorily common module to be used on sites with Sentinel- surely someone must have come across this before though? |
| |
|
|
|
|
Dauthus
Worker
Joined: Oct 07, 2003
Posts: 211
|
| Posted:
Sun Feb 11, 2007 4:44 pm |
|
The edit you entered won't work with your version or your issue.
The simple reason was the edit in the post you referenced was to "allow" the
in the string. The
Code:modules.php?name=gallery
|
portion was added so only that link would be allowed with the
to work in sentinel.
Your issue does not have the
in the string.
I am fairly sure the
is what is causing the ban. It is part of the XSS code in the includes/nukesentinel.php here:
Code: // Check for XSS attack
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))
OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}
}
|
Specifically this line:
Code: OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
|
The sentinel gurus here should be able to code you a safe inclusion of the gallery module to this line. |
_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori |
|
|
|
AndyB
|
| Posted:
Sun Feb 11, 2007 4:56 pm |
|
cheers!
Fingers crossed- I've tried the nukegallery forums as well, trying to cover "bases"- allowing a couple of days between each new post (each forum- icnuding Uk support site)
I really need this (obviously)
I'm trying to avoid cross site posting, where possible.
I understood (maybe wrongly) that the issue may have been with to do with the "http" being in the title- obviously not.
Fingers crossed.....
Cheers for all help and suggestions- it is appreciated! |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Sun Feb 11, 2007 11:49 pm |
|
There are several fixes that have been posted in these Forums. If I recall correctly they involve "patching" sentinel to allow cmd if the module name is Gallery. But I don't recall the details and don't have time tonight to go searching for you; I know the solutions are here though. Post back if you really can't find it and I'll do some looking around during the week. |
| |
|
|
|
|
AndyB
|
| Posted:
Mon Feb 12, 2007 8:58 am |
|
|
|
|
|
AndyB
|
| Posted:
Tue Feb 27, 2007 5:30 pm |
|
tried the one that looked closest to what would work with the code I had (editing this post as I didn't see the copy and paste was the wrong one)
anyway, it didn't work.... (the "fix" I tried) |
Last edited by AndyB on Wed Feb 28, 2007 6:12 am; edited 1 time in total |
|
|
|
|
AndyB
|
| Posted:
Tue Feb 27, 2007 5:38 pm |
|
and I've checked out the other links my search brought up (some were my original posts, lol from years ago on an older version of nuke/ gallery/ sentinel)
The one I posted up above looked like it *should* work, but blocked the user that was testing....
got me stumped this.
Some searches show hightligh and cmd in the search string, but when I try to click the links on here, gives me a forbidden type error..... |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Mar 01, 2007 6:55 am |
|
Ok, first, let us verify that this is what you have within includes/nukesentinel.php:
Code: // Check for XSS attack
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))
OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}
|
Try changing this line here:
Code: OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
|
To:
Code: OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery"))
|
Now, just keep in mind that I do not use gallery any longer, so we'll have to have you tell us if it works or not. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
AndyB
|
| Posted:
Thu Mar 01, 2007 4:21 pm |
|
thanks- but didn't work.
I can supply my full includes/ sentinel.php if it helps?
from the email:
Code:Date & Time: 2007-03-01 22:08:21 GMT GMT +0000
Blocked IP: 84.68.removed by me
Reason: Abuse-Filter
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 2.0.50727) Query String: /modules.php?parentName=user_photos&return=http://www.audifans.net/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Get String: /modules.php?parentName=user_photos&return=http://www.audifans.net/modules.php?op=modload&name=gallery&file=index&include=view_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Post String: /modules.php
Forwarded For: none
Client IP: none
Remote Address: 84.68.removed by me
Remote Port: 50639
Request Method: GET
|
|
| |
|
|
|
|
Dauthus
|
| Posted:
Thu Mar 01, 2007 6:54 pm |
|
Actually it appears it did work. The string you just posted is different than the string you posted previously. This string does have the "http://" within it.
I think now would be the time to also include the first fix you attempted at the beginning of this post along with the one montego gave you. See how that works. |
| |
|
|
|
|
fkelly
|
| Posted:
Thu Mar 01, 2007 8:19 pm |
|
I had a similar "fix" in when I ran Gallery 1.4x and 1.5x. I just went looking for it and didn't find in /includes/nukesentinel.php but I'm not having problems. The reason I think is that I'm running Gallery 2.1x now. But yes, the fix Montego gave you should work.
I'm guessing Gallery 2.1 does things differently since I have it running on 2 sites with different versions of NS and with no problems. Not that upgrading Gallery is for the faint of heart but it might be a solution at some point down the road for you. |
| |
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Thu Mar 01, 2007 9:34 pm |
|
That return=http:// might be doing it too. |
_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module |
|
|
|
|
montego
|
| Posted:
Fri Mar 02, 2007 6:42 am |
|
you guys are GOOD! Yes, I just saw too that the posted link is different. http: will definitely trip it. |
| |
|
|
|
|
AndyB
|
| Posted:
Fri Mar 02, 2007 1:38 pm |
|
I tried that- Sentinel still kicked in.
My bit is now: (just in case I mis understood the instructions)
Code:
// Check for XSS attack
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
if( (isset($name) AND eregi("http\:\/\/", $name)) OR (isset($file) AND eregi("http\:\/\/", $file)) OR (isset($libpath) AND eregi("http\:\/\/", $libpath))
//OR stristr($nsnst_const['query_string'], "http://")
OR ( stristr($nsnst_const['query_string'], "http://") AND !stristr($nsnst_const['query_string'], "modules.php?name=gallery"))
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery"))
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}
|
Cheers for the help so far guys, much appreciated. |
| |
|
|
|
|
AndyB
|
| Posted:
Fri Mar 09, 2007 3:33 pm |
|
any other ideas?
Cheers!
Andy |
| |
|
|
|
|
Gremmie
|
| Posted:
Fri Mar 09, 2007 3:52 pm |
|
Try changing this part:
Code:
!stristr($nsnst_const['query_string'], "modules.php?name=gallery")
|
To this:
Code:
!stristr($nsnst_const['query_string'], "name=gallery")
|
For some reason your links aren't getting generated as modules.php?name=gallery...it is putting other stuff first. |
| |
|
|
|
|
AndyB
|
| Posted:
Fri Mar 09, 2007 5:26 pm |
|
you STAR! MANY MANY THANKS!
I've already donatec this month (doesn't show on donations) and I'll donate AGAIN
MANY MANY THANKS
YOU GUYS ROCK
 |
| |
|
|
|
|
montego
|
| Posted:
Sat Mar 10, 2007 8:00 am |
|
tell all yours friends...  |
| |
|
|
|
|
AndyB
|
| Posted:
Sat Mar 10, 2007 9:29 am |
|
already have |
| |
|
|
|
|
AndyB
|
| Posted:
Thu Oct 11, 2007 12:41 pm |
|
**UPDATE FOR SENTINEL VERSION 2.5.13**
I've updated my Sentinel version to that above; some of the variables/ code has changed. I'll put my changes below so that other users can see/ use the changes (I know a few of us use this thread when we need to look back)
in includes/nukesentinel.php look at around line 290 for the xss attack script.
Change this:
Code:// Check for XSS attack
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
if( (isset($name) AND (eregi("http\:\/\/", $name) OR eregi("https\:\/\/", $name)))
OR (isset($file) AND (eregi("http\:\/\/", $file) OR eregi("https\:\/\/", $file)))
OR (isset($libpath) AND (eregi("http\:\/\/", $libpath) OR eregi("https\:\/\/", $libpath)))
OR stristr($nsnst_const['query_string'], "http://") OR stristr($nsnst_const['query_string'], "https://")
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}
}
|
for this:
Code:// Check for XSS attack
if(!stristr($nsnst_const['query_string'], "index.php?url=") AND (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin']))) {
if( (isset($name) AND (eregi("http\:\/\/", $name) OR eregi("https\:\/\/", $name)))
OR (isset($file) AND (eregi("http\:\/\/", $file) OR eregi("https\:\/\/", $file)))
OR (isset($libpath) AND (eregi("http\:\/\/", $libpath) OR eregi("https\:\/\/", $libpath)))
// Gallery hack
//original line below
// OR stristr($nsnst_const['query_string'], "http://") OR stristr($nsnst_const['query_string'], "https://")
//replacement code
OR stristr($nsnst_const['query_string'], "http://") AND !stristr($nsnst_const['query_string'], "name=gallery") OR stristr($nsnst_const['query_string'], "https://")
//original line below
// OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") )
//replacement code
OR ( stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd") AND !stristr($nsnst_const['query_string'], "name=gallery") )
//end of gallery hack
OR ( stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu") )
OR stristr($nsnst_const['query_string'],"concat") AND !stristr($nsnst_const['query_string'], "../") ) {
block_ip($blocker_row);
}
}
}
|
I'm using a patched 7.6 nuke (over 3.3 or so), and we've tested it ok. If Raven/ other clever bod can check I've not borked the code up
I take no responsibility for you using this code- but I hope it helps!
Thanks for the system guys- script kiddies have been mental lately- the upgrade was necessary because of the IP2Country range, among others... |
| |
|
|
|
|
myrtletrees
Involved
Joined: Sep 13, 2005
Posts: 259
Location: Cornfields of Indiana
|
| Posted:
Wed Feb 13, 2008 1:57 pm |
|
helped me, thanks!
and yes, the nuke sites I manage have been getting hammered by Filter attacks lately too. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
