member set off Sentinel™

Client Joined: Jan 29, 2004 Posts: 624

Apparently a member of my site set off NukeSentinel™'s Script Blocker. Was it an innocent deed caused by a bug in either Site Messenger or in NukeSentinel or was he pasting some illicit code into the input of Messenger? You, the jury, decide and I the judge will be guided by your wisdom haha

Code:




Date & Time: 2004-08-13 14:43:06


Blocked IP: 81.244.8.*


User ID: B--- (5)


Reason: Abuse-Script


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


Query String: southernwolf.net/modules.php?subject=Re%3A+Hi&msg_text=No%2C+I+dumped+her+because+a+friend+of+her+told+me+she+wanted+to+dump+me+after+the+exams.+So%2C+I+said+%22the+sooner+I%27m+of+that+lying+biatch%2C+the+better%22.+I+will+for+sure.+I+think+I+know+someone%2C+he%27s+a+little+bit+weird%2C+but+I+think+he%27ll+like+this+very+much.&name=Site_Messenger&file=buddy&to_userid=3&op=send&to=graywolf&x=68&y=13


Forwarded For: none


Client IP: none


Remote Address: 81.244.8.*


Remote Port: 1353


Request Method: GET


--------------------


Who-Is for IP


81.244.8.112  


          


            








OrgName:    RIPE Network Coordination Centre


OrgID:      RIPE


Address:    Singel 258


Address:    1016 AB


City:       Amsterdam


StateProv:


PostalCode:


Country:    NL





ReferralServer: whois://whois.ripe.net:43





NetRange:   81.0.0.0 - 81.255.255.255


CIDR:       81.0.0.0/8


NetName:    81-RIPE


NetHandle:  NET-81-0-0-0-1


Parent:


NetType:    Allocated to RIPE NCC


NameServer: NS-PRI.RIPE.NET


NameServer: NS3.NIC.FR


NameServer: SUNIC.SUNET.SE


NameServer: AUTH62.NS.UU.NET


NameServer: SEC1.APNIC.NET


NameServer: SEC3.APNIC.NET


NameServer: TINNIE.ARIN.NET


Comment:    These addresses have been further assigned to users in


Comment:    the RIPE NCC region. Contact information can be found in


Comment:    the RIPE database at http://www.ripe.net/whois


RegDate:


Updated:    2004-03-16

Worker Joined: Oct 07, 2003 Posts: 211

Sorry, but I don't see where this user actually did anything wrong. Am I missing something here?

Posted: Fri Aug 13, 2004 11:56 pm

So why'd I get this? Is it a bug in Sentinel™? Or what? Maybe it was the word bitch that set it off? Who knows. Don't mind the judge and jury talk, I'm quite lenient. Really. Smile

Posted: Sat Aug 14, 2004 2:03 am

One thing I have noticed is I always get an email indicating my username was banned every time I send a private message to anyone. (I'm the admin, so my username is protected) I guess this could be some type of bug, but I don't know much about these systems. You could try and report this in the bug section and see what they say.

Posted: Sat Aug 14, 2004 3:11 am

The filter "script" and "filter" are going to be more prone to false positives with third party applications then most of the other blockers. I believe southern didn't you have some with SiteMessenger before? Not sure it was you but I do recall someone posting about that.

Dauthus strange can't say I've seen that before except when someone had a theme that was missing a quote so a style= string was triggering a blocker. But we use the forum private messeges all the time here without any false positives.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

No false positive. Here is the url decoded text:

Quote:

Re: Hi&msg_text=No, I dumped her because a friend of her told me she wanted to dump me after the exams. So, I said "the sooner I'm of that lying biatch, the better". I will for sure. I think I know someone, he's a little bit weird, but I think he'll like this very much.&name=Site_Messenger&file=buddy&to_userid=3&op=send&to=graywolf&x=68&y=13

Nuke would also have banned this. It's not a Sentinel unique issue. The "" and ' marks are the problem. You can turn the filters off and design your own strings but you are opening yourself up to hack attempts. Personally, I would not use an application that sends freeform text like that with either a GET or a POST header.

Posted: Sat Aug 14, 2004 11:39 am

Quote:

Dauthus strange can't say I've seen that before except when someone had a theme that was missing a quote so a style= string was triggering a blocker. But we use the forum private messeges all the time here without any false positives.

Here's what I am getting: I am going to try the change the theme and see if it is still happening. I will let you know.

Code:

Date & Time: 2004-08-14 00:36:52


Blocked IP: 66.82.xxx.xxx


User ID: Dauthus (2)


Reason: Abuse-Script


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts) Query String: www.mysite.com/modules.php?name=Private_Messages&file=index&folder=inbox\"


Forwarded For: none


Client IP: none


Remote Address: 66.82.xxx.xxx


Remote Port: 3693


Request Method: GET


--------------------

Posted: Sat Aug 14, 2004 12:18 pm

Raven wrote:

No false positive. Here is the url decoded text:

Quote:

Re: Hi&msg_text=No, I dumped her because a friend of her told me she wanted to dump me after the exams. So, I said "the sooner I'm of that lying biatch, the better". I will for sure. I think I know someone, he's a little bit weird, but I think he'll like this very much.&name=Site_Messenger&file=buddy&to_userid=3&op=send&to=graywolf&x=68&y=13

Nuke would also have banned this. It's not a Sentinel unique issue. The "" and ' marks are the problem. You can turn the filters off and design your own strings but you are opening yourself up to hack attempts. Personally, I would not use an application that sends freeform text like that with either a GET or a POST header.

So Sentinel™- and nuke- did what it's supposed to. Blocked a script. This member and me were chit chatting on Site Messenger for about five or ten minutes with no problem when bing he dropped off the site. I have the Messenger thing set for registered users only. Well, I'll be gracious and unban him this once. Good test of Sentinel™ and I'm sure 2.0.1 is even better. Smile

sixone, yes I had a prob with Site Messenger a few months ago when I was getting an 'I don't like you' message from it, and I took it off then, but this is a later version from flashnukers and I haven't seen that odd message yet.

Posted: Sat Aug 14, 2004 7:14 pm

Sounds like a pretty cool addon Southern I just don't get time to try them all Confused

Dauthus it looks like it may be just what I was refering to before. The \" on the end of the string being reported is likely a code error in the theme tpl for the PM's.

Involved Joined: Dec 28, 2003 Posts: 276 Location: Israel

I too have a problem with Sentinel 2.02 and Site Messenger 1.3.
Sentinel already banned 3 users using while using the Site Messenger. So I had to drop the Script blocker! Sad

No other solution?

Posted: Mon Oct 11, 2004 8:45 am

Get rid of that \" - That's how scripts pass injection logic.

Posted: Mon Oct 11, 2004 8:48 am

Raven wrote:

Get rid of that \" - That's how scripts pass injection logic.

HOW?!?!

Posted: Mon Oct 11, 2004 7:18 pm

I'd like to know, too. Actually Site Messenger ain't a bad thing, if it weren't for the fact it seems to set off Sentinel™...

Posted: Mon Oct 11, 2004 8:28 pm

Its fun to use. But it has some fairly serious issues. I looked at it again this morning. It would be nice if the site that maintains it would simply come out with an updated version.

Its cool because its almost as real time as a messenger but you don't have to give out your regular messenger handle which is cool. If your using it check out the Subject line I don't think it would take much to slip a nifty java redirect into it. Its dangerous because in part it lives outside of both nuke and phpbb but has full access to the services they do.

Posted: Mon Oct 11, 2004 8:38 pm

Well, that's why I took off SM, those 'issues' you and Raven have pointed out.
SM has potential as not only an in-site messenger but a cross-site messenger, but until it has better security it's a no go on my site. BTW love your sig, got one for us animals who eat tasty people? haha

Client Joined: Jul 18, 2003 Posts: 977

ring_c wrote:

Raven wrote:

Get rid of that \" - That's how scripts pass injection logic.

HOW?!?!

I would like to know this to. I was getting the same thing and posted about it here http://www.ravenphpscripts.com/postt3090.html
I do not use Site Messenger.