which block to alter in mainfile.php

New Member Joined: Mar 05, 2006 Posts: 16

I'm using patched nuke 7.4 and tried to install sentinel and so far, so good. There's on problem though: in the instructions you're supposed to find and comment out:

Code:




$queryString = strtolower($_SERVER['QUERY_STRING']);


if (stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'/*') OR stripos_clone($queryString,'*/union/*') OR stripos_clone($queryString,'c2nyaxb0')) {


header("Location: index.php");


die();


}

I couldn't find the exact replica in my mainfile.php. The closest I found is:

Code:




if(!file_exists('includes/nukesentinel.php')) {


  if(isset($_SERVER['QUERY_STRING']) && (!stripos_clone($_SERVER['QUERY_STRING'], "ad_click") || !stripos_clone($_SERVER['QUERY_STRING'], "url"))) {


    $queryString = $_SERVER['QUERY_STRING'];


    if (stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'/*') OR stripos_clone($queryString,'*/union/*') OR stripos_clone($queryString,'c2nyaxb0') OR stripos_clone($queryString,'+union+') OR stripos_clone($queryString,'http://') OR (stripos_clone($queryString,'cmd=') AND !stripos_clone($queryString,'&cmd')) OR (stripos_clone($queryString,'exec') AND !stripos_clone($queryString,'execu')) OR stripos_clone($queryString,'concat')) {


      die('Illegal Operation');


    }


  }


}

or

Code:




$postString_64 = base64_decode($postString); 


if (!is_admin($admin) && stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+') OR stripos_clone($postString,'http-equiv') OR stripos_clone($postString_64,'http-equiv')) { 


header("Location: index.php"); 


die(); 


}

Ditto for this in admin.php: find and comment out:

Code:




$checkurl = $_SERVER['REQUEST_URI']; 


if((stripos_clone($_SERVER["QUERY_STRING"],'AddAuthor')) || (stripos_clone($_SERVER["QUERY_STRING"],'VXBkYXRlQXV0aG9y')) || (stripos_clone($_SERVER["QUERY_STRING"],'QWRkQXV0aG9y')) || (stripos_clone($_SERVER["QUERY_STRING"],'UpdateAuthor')) || (preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {


die("Illegal Operation");


}

but I only have this:

Code:




$checkurl = $_SERVER['REQUEST_URI'];


if((stripos_clone($checkurl,'AddAuthor')) OR (stripos_clone($checkurl,'VXBkYXRlQXV0aG9y')) OR (stripos_clone($checkurl,'QWRkQXV0aG9y')) OR (stripos_clone($checkurl,'UpdateAuthor')) OR (stripos_clone($checkurl, "?admin")) OR (stripos_clone($checkurl, "&admin"))) {


  die("Illegal Operation");


}

While none of these are carbon copies, they are the closest I can find. Should I comment one of those out or just leave this part be?

Thanks.

Satch

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

On the first one, that was removed, I think, in later versions of the patch. You shouldn't comment out what you highlighted there.

I'm not sure about the second one. I would leave that in, too. The impact could be that it catches an attack before NukeSentinel, and the only problem would be that you wouldn't know it.

registered · Posted: Wed Mar 22, 2006 5:28 pm

Yeah, thats right, the first one is already in good shape because it only does the original check if nukesentinel is not installed.

On the second, NukeSentinel handles this one as well. Personally, I'd rather have NS letting me know the hack attempts (and autobanning) rather than just "dying".