Dizkus

Hi all!

While using a PostNuke powered site for our CMS, I found that several times the pnAntiCracker module (which is ON) is triggering false alarms.

I was wondering if there were any exact improvements planned for pnAntiCracker in future versions of PostNuke. I heard something of moving the secureinput function to pnanticracker.php in a new version (I'm using 0.7.5) but nothing about refining the regular expressions which are used in the detection of "evil words".

I know it's complicated to write some javascript detector which really works, as there are many ways in which javascript can be injected. For example, you can't just say "trigger an alarm each time some post contains javascr ipt:", as sometimes it's not needed to prepend that piece of code before the code for it to be executed.
Simply a documen t.write("blabla") will do it, no need for script or javascript prepend.

The problem with the actual code is that for example is triggering an alert just for links which have a variable called document.
Something like this: < a href="http://onelink.com&documen t=something" > is doing it. And it's not good! :D

Also, the code for that function maybe could be cleaned a bit to avoid repetitions. Like storing all regular expressions in an array and then traverse it using a loop for the given input method.

I don't know, I can think of some improvements for the secureinput right now, but maybe it's better to know how is the planned development for this area, and then focus my possible help into something more useful than a forum post.

What do you think?

** Note that I introduced some typos just in case you also had pnanticracker activated on this site :)

it is being reviewed..a lot of things are, but i know there was mention of taking it apart.

-IR

--
http://www.invalidresponse.com

in .760 the anticracker code is just moved to outside of the pnAPI.php so that folks who don't activate the pnAntiCracker (like me) save bandwidth.
the general anticracker syntax will be reviewed for .8 (and as you can see in CVS it will be modularized) and extended with a better library for input validation like e.g. safehtml. it's on my to-do-list but to be honest you won't see any results in the next 4 weeks since i go off for some mountain climbing

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

Yup, I have been taking a look at 0.760 to see if there were significant changes. Unfortunately I can't work with CVS versions as I just am able to use absolutely stable versions (otherwise clients get angry you know ;) )

I have been this evening trying to work out some better input validations for this. If I find something interesting I'll might submit it to the patch system so you can consider including it into .8 or whatever.

BTW when is the .8 release expected? And which is the latest recommended version? .75 or .76?

definitly .760


no release date

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

I thought 0.760 was not yet stable and had some API inconsistencies. So it's quite surprising to see that's the stable version... nice to know that!
I'll consider it for future projects, as I saw there were lots of nice improvements (specially refering to the HTML code output which seems to be cleaner now), thanks!