| Author |
Message |
madman
Support Mod
Joined: Feb 15, 2004
Posts: 806
|
 Posted:
Wed Jun 09, 2004 1:39 pm |
  |
Probably caused by missing backslash in regex pattern?
(eregi("\([^>]*\"?[^\)]*\)", $secvalue)) || |
_________________
I'm  |
|
      |
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Wed Jun 09, 2004 2:21 pm |
|
What's happening is the way its written its picking up the parens, which isn't really bad in and of itself -- but you know this I suspect. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
 |
|
Xeon
Sergeant
Joined: Aug 28, 2003
Posts: 144
Location: USA
|
| Posted:
Wed Jun 09, 2004 2:29 pm |
|
|
|
|
Xeon
Sergeant
Joined: Aug 28, 2003
Posts: 144
Location: USA
|
| Posted:
Wed Jun 09, 2004 2:32 pm |
|
| madman wrote: |
Probably caused by missing backslash in regex pattern?
(eregi("\([^>]*\"?[^\)]*\)", $secvalue)) || |
Ah well heck, if that will take care of the issue I've posted here I'd rather do that than get rid of this line completely.
I guess I'll have to test it. |
_________________
Xeon
http://www.credit-repair-combat.com/ |
|
|
|
FHFGhost
Lieutenant
Joined: Jan 26, 2003
Posts: 279
Location: Huntsville, AL
|
| Posted:
Wed Jun 09, 2004 2:37 pm |
|
It didn't fix the problem for me. |
_________________
"I don't know what the key to success is, but the key to failure is trying to please everybody"..Bill Cosby
 |
|
|
|
Xeon
Sergeant
Joined: Aug 28, 2003
Posts: 144
Location: USA
|
| Posted:
Wed Jun 09, 2004 2:42 pm |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Wed Jun 09, 2004 2:44 pm |
|
I still have to check the code myself... But I'll get back to you. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
Xeon
Sergeant
Joined: Aug 28, 2003
Posts: 144
Location: USA
|
| Posted:
Wed Jun 09, 2004 2:45 pm |
|
|
|
|
FHFGhost
Lieutenant
Joined: Jan 26, 2003
Posts: 279
Location: Huntsville, AL
|
| Posted:
Wed Jun 09, 2004 2:48 pm |
|
Yes thx ZX |
_________________
"I don't know what the key to success is, but the key to failure is trying to please everybody"..Bill Cosby
|
|
|
|
FHFGhost
Lieutenant
Joined: Jan 26, 2003
Posts: 279
Location: Huntsville, AL
|
| Posted:
Thu Jun 10, 2004 8:31 pm |
|
Any results yet ZX? |
_________________
"I don't know what the key to success is, but the key to failure is trying to please everybody"..Bill Cosby
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Fri Jun 11, 2004 8:16 am |
|
No not yet... I found a fix last night to the big phpbb search bug problem that everyone is reporting at phpbb.com that affects nukecops and computercops too. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
FHFGhost
Lieutenant
Joined: Jan 26, 2003
Posts: 279
Location: Huntsville, AL
|
| Posted:
Tue Jun 15, 2004 12:06 pm |
|
Should I just comment out this line? Or will that not fix the problem? |
_________________
"I don't know what the key to success is, but the key to failure is trying to please everybody"..Bill Cosby
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Tue Jun 15, 2004 12:12 pm |
|
Yes go ahead and comment out the line. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
BooBoo
Nuke Soldier
Joined: Jun 15, 2004
Posts: 10
|
| Posted:
Tue Jun 15, 2004 7:34 pm |
|
Hi,
So should this code block be in the mainfile IF you have Fortress installed?
| Code: |
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
|
Even though it might be a bit aggressive it still looks like it looks after POST where fortress only looks after GET - or am I wrong?
BooBoo |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Wed Jun 16, 2004 6:17 am |
|
I agree that the code is agressive, but I haven't done any testing on it. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
|
|
