False Positive

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

On the other ones, what is the domain name?

registered · Posted: Tue Jun 15, 2004 8:07 pm

sixonetonoffun wrote:

Building on what Raven did with cmd above NovemberRain try this its working ok for me but I only tested it briefly.
Around line 112 in includes/sentinel.php
change this line
if (eregi("http\:\/\/", $name) OR eregi("cmd",$querystring) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {
To this:

Code:




 if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR eregi("exec",$querystring) AND !eregi("execu",$querystring) OR eregi("concat",$querystring)) {

six, question?

Shouldn't the code

Code:

if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR eregi("exec",$querystring) AND !eregi("execu",$querystring) OR eregi("concat",$querystring)) {

be like

Code:

if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {

with the extra pair of ( and ) to make the exec check inclusive and not interfere with the concat check? I'm not saying it is wrong but only wanting to make sure I'm understanding it correctly Smile

Posted: Tue Jun 15, 2004 8:35 pm

I never tested anything but the user name with Executioner (Until just now) its doesn't seem to interfere but theres no reason not to add the extra braces for consistency at the very least.

Posted: Tue Jun 15, 2004 8:41 pm

In another thread we added AND !eregi("cmd=highlight",$querystring)) for compatability with Gallery it could probably be shortened but I left it more specific for the sake of resolving the problem for the user without adding any new wholes by mistake.

New Member Joined: Jun 19, 2004 Posts: 3

NM, I found my problem Confused

Posted: Wed Jul 07, 2004 12:54 pm

I'm currently porting the phpBB nickpage mod to nuke and while testing I got caught several times for using the link:

Code:

modules.php?name=Forums&file=nickpage&user=aconrads&sid=xxx

I couldn't find the suspicious string in there. Can you spot it?
Is there a way to exclude 127.0.0.1 from sentinel at least for the remaining testing time?

Thanks!

MrFluffy

Posted: Wed Jul 07, 2004 12:59 pm

forget the part about my local IP Bang Head

Why do I activate sentinel on the testserver at all? Wink

Posted: Thu Jul 08, 2004 3:50 am

Quote:

Blocked IP: 127.0.0.1
User: aconrads
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Abuse Blocked on: 2004-07-08 11:28:22
Notes: Added by Sentinel™
Reason: Abuse - OTHER

Query String: localhost/webs/conrads/modules.php?name=Forums&file=nickpage&user=aconrads
Forwarded For: none
Client IP: none
Remote Address: 127.0.0.1
Remote Port: 1338
Request Method: GET

This is the complete administration entry (no email on my testserver)...

Posted: Thu Jul 08, 2004 5:10 am

This logic is for blocking a Forum attack. It looks like this may be another 'exception'. I will forward this over to the 'figue this out' department Laughing

Code:

  if (stristr($querystring,'&user=') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) {


    block_ip($ip, $banuser, $bantime, $blocker_row);


  }

Posted: Thu Jul 08, 2004 5:21 am

As a quick work-around, try this

Code:

  if (stristr($querystring,'&user=') AND !stristr($querystring,'&file=nickpage') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) { 


    block_ip($ip, $banuser, $bantime, $blocker_row); 


  }

Posted: Thu Jul 08, 2004 5:26 am

Raven wrote:

As a quick work-around, try this

Code:

  if (stristr($querystring,'&user=') AND !stristr($querystring,'&file=nickpage') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) { 


    block_ip($ip, $banuser, $bantime, $blocker_row); 


  }

Thanks! I was just testing the same idea Wink

, only with:

Code:

   if (!stristr($querystring,'nickpage&user=')) {


      if (stristr($querystring,'&user=') AND ($name==Private_Messages || $name==Forums || $name==Members_List) AND $name!=nickpage) {


         if($ab_config['act_filters'] > 1) {


            block_ip($ip, $banuser, $agent, $bantime, $reason, $ab_config['act_filters']);


         } else {


            write_mail($remote, $banuser, $bantime, $reason);


            Header("Location: index.php");


         }


      }


   }

cu,
MrFluffy

Posted: Thu Jul 08, 2004 6:07 am

Same difference, although you could accomplish the same thing with just a tad bit more efficiency like this

Code:

  if (!stristr($querystring,'&file=nickpage') AND stristr($querystring,'&user=') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) { 


    block_ip($ip, $banuser, $bantime, $blocker_row); 


  }

That avoides the {} processing and since it's the first logic check it will exit immediately. But, the gain would be so minimal it's not really necessary to change it. It's just for those 'SPEED' freaks out there Laughing

Posted: Thu Jul 08, 2004 9:20 am

Added to Sentinel(tm) 2.0.0 Smile

Posted: Thu Jul 08, 2004 10:14 am

Thanks a lot!

But I didn't get the mod running completly yet, grrrr...
I'm a little lost in the paths Wink

About everything's running, apart from saving the base nickpage data and viewing the nickpage, which some nitpicking people could consider to be core functions Wink