NukeSentinel Not Blocking IP on Union Attack

Posted: Thu Apr 13, 2006 8:34 am

Hi,

NukeSentinel isn't blocking the IP address when a Union attack is attempted. The default page is displayed saying you have been banned for attempting a Union attack, but it also says 'Block Expires: Unkown'.

It is then possible to access the site again.

When I check the Blocked IP list nothing is recorded there and nothing is written to the .htaccess file.

I've checked the Blocker Configuration and it is set to Email, Block & Default Page.

I tried the same attack on another site on my server and NukeSentinel does block it, so it's not the server causing the problem.

Also NukeSentinel is blocking Admin-abuse and adds the IP to the database and .htaccess.

I'm using the latest RavenNuke distro.

Has anybody got any ideas how to fix this?

Jakec

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I've not experienced this but try updating to v2.4.2pl5.

Posted: Thu Apr 13, 2006 2:31 pm

There must be a setting wrong somewhere, or something screwy has happened when installing Nuke.

My test site is working fine, the site I'm about to release is the one I'm having problems with. The test site in theory should be exactly the same, if anything the test site should be the one I'm having problems with. Sad

The only modules I have installed are Kalender MX and the Re-send email.

Will 2.4.2pl5 be part of the RavenNuke 2.02.02 release?

New Member Joined: May 20, 2006 Posts: 3

Having the exact same problem, did everything from up to the step where you log into admin.php (or the filename I'd changed it to in config.php and on the server) but when I tried to click on "modules" to change the forum settings and such I just got blocked and my IP banned for admin abuse. Not sure where to go from here...

New Member Joined: Sep 15, 2006 Posts: 3

I just got the same thing. I googled the 'You have attempted a Union attack on this site' and came to this site.

I entered about 5 articles this morning from a work computer on one floor and now just entered about 10 more articles from another computer at work. On this particular article I kept getting this alert message.

I tried entering a different article and it accepted. I went back to the original article again, and I got the alert again. There is something in the article that is not being allowed to be entered into Content module.

Here is the copy of the article.
http://www.sovereignfaith.com/modules.php?name=Content&pa=showpage&pid=202

I am taking all the articles from this my old site, to a new domain and entering them one by one through content module. All was going well until I got to this particular article.

Help Please.

Posted: Wed Sep 20, 2006 1:14 pm

The article contains the word 'union' which will trigger the blocker on Sentinel.

Posted: Wed Sep 20, 2006 2:01 pm

Please see this post

Only registered users can see links on this board! Get registered or login!

It's funny how urban myths spread. I would appreciate if any other programmers want to verify my reading of it but looking at Sentinel right now, the union "filter" is applied to a "query_string" which is returned from this function in Sentinel:

Code:

function get_query_string() {


  if(get_env("QUERY_STRING")) {


    return str_replace("%09", "%20", get_env("QUERY_STRING"));


  } else {


    return;


  }


}

I don't believe that the onion filter applies to a post_string but the documentation that I'm looking at (the PHP manual) doesn't have anything on get_env that I can see. In other words, if we eliminate the mainfile bug discussed in the other thread we should be able to post all the Onions we want. Oh, there is a listing for "getenv" but unless "QUERY_STRING" also includes any post strings it won't be filtered in Sentinel. Anyone know for sure?