blocked (Abuse-admin)(using jquery)

Posted: Mon Apr 25, 2011 12:42 pm

Hey all-

I have a script that is calling an admin op... however, the script is being blocked with "Abuse-Admin".

Here's how it works...

Form is loaded via jquery $.ajax -----> User form (on submit) ---> Custom Jquery gathers variable data sends to ----> Processing script which calls the admin.php?op=TestOp.

When that secondary script fires... It triggers a block from N.S. I'm assuming because it's not first level jquery. Anyone ever had a run in with type of situation and possibly how to overcome it?

------------

Ok... so the solution would be to pass the cookie information along to the dataflow. Is this possible and if so... what would be the "proper" way to pass this information on so that when the second script fires to the admin.php... it passed along the credential information?

Posted: Tue Apr 26, 2011 4:27 am

Just to clarify, when you say "user form" you really mean "admin form" in the context that it would be a site administrator submitting the form?
If the answer is no, you'll have to back-track a bit. User submitted data should always pass through modules.php not admin.php
That would be fatal in PHP-Nuke because there is NO cross-site-request-forgery protection.

Now for the easy bit (possibly), if your IP is in the 'protected range' (which it should be if NS is configured correctly) I believe NS should simply allow any data to pass through and not even be attempting to examine your POSTed form data.
It sounds like your NS default blocker is set to Abuse-Admin and I would have expected Abuse-Script to be triggered so this sounds more like something in the actual POST data it doesn't like, rather than the process of submitting the form.

I hope that might help.

Posted: Tue Apr 26, 2011 7:41 am

Thank you for taking interest in me again Guardian... you've come to be my sanity on these things.

I'm working on something truly unique for my wife (& the RN community) so this will be a bit complex to explain and understand. (I'm really trying to not give away all the details before I'm ready for everyone to see)

The form itself will be used by admins only as it's accessed via the admin panel only. The way this works is by having a control panel in an "OpenTable() CloseTable()" up at the top and a placeholder "OpenTable() CloseTable()" below that. When particular buttons are clicked in the control panel... a jquery $.ajax is fired and the success function() of the ajax loads the returned data into the placeholder.

So in this particular instance... what is being loaded into the placeholder is a form and this form uses jquery to submit. (This is where we get to the second level jquery. What I mean by this is that it's a jquery $.ajax function within a jquery $.ajax function)

Since this form is not loaded via the normal page load while including the header/footer etc... and is only loading a specific "FORM" html (this form is loaded via an admin.php?op=)... I don't believe the credentials are being calculated and when the form is submitted to the "admin.php?op=" It's triggering the block because it's not seeing the second level as still being an admin since the credentials are not calculated and passed.

I hope this makes sense... I felt like my brain was going to explode last night just trying to understand how the N.S. triggers work, how the credentials are passed & how all this might possibly work with jquery in the mix.

Another piece of information that might help (or not help) clairfy some things... if I enable AdminAuth in the nukeSent settings...when the loaded form is submitted... it asks me to log in (the .htaccess popup) even though I had already logged in just to get to the admin side of the site.

Here is the block that is being triggered (minus the post info as it's not really important):

Code:

Created By: NukeSentinel(tm) 2.6.03


Date &amp; Time: 2011-04-25 21:19:04 CDT GMT -0500


Blocked IP: xxx.xx.xx.xxx


User ID: Anonymous (1) 


Reason: Abuse-Admin

Notice that the "User ID" is "Anonymous" even though I'm logged in with an admin account & a regular user account.

registered · Posted: Tue Apr 26, 2011 8:39 am

Make sure the $admin variable is being passed/declared throughout the op....

Posted: Tue Apr 26, 2011 8:45 am

Nuken... that is exactly what I was trying to figure out yesterday and why my head was feeling like it was going to explode. Could you please elaborate a bit on that.. plz.

I looked in the N.S.php file and it called a function "is_admin($_COOKIE['admin'])" which either comes back as a 0 or 1... is that the variable that needs to be set?

I.e.

Code:

$admin = '1';

Pass this?

This is just shorthand manually setting it... wouldn't actually do it that way.

---------

That got me a little closer... now I get "Illegal Operation" instead of a N.S. block so I'm at least getting to the actual admin.php file now.... I think. Smile

Posted: Tue Apr 26, 2011 9:45 am

You should be able to declare it as a global $admin; within each op. If you are logged in as admin, it should satisfy the is_admin function.

Posted: Tue Apr 26, 2011 9:53 am

Oh I wish it were that simple.

I'm going to have to setup a test module running a similar setup so that I can reproduce the method / error for it to be clear. This really is a bit to complex and possibly above my pay grade.

Give me a little while to get it setup and packaged for y'all.

Thanks for the efforts!

Posted: Tue Apr 26, 2011 10:14 am

killing-hours, First Why are you passing javascript via get and/or post?

Second when you are using ajax are you using the same url that you use when you login to your site? What I mean by this is that if you go to your site with the following http://mysite.com make sure you are not using http://www.mysite.com and of course do not sue an IP address.

Posted: Tue Apr 26, 2011 10:35 am

Here is a test module that I setup to be very similar to how I've got the production version setup. It uses an uploader (uploadify.com) to manage uploads.

http://www.mediafire.com/?1cxpn49lygbbs4a

Palbin, not sure you what you mean by passing the javascript. I'm not getting it via a post... i'm getting the html form data and loading it to a placeholder. Like I said... this is really difficult to explain hence i created the test module. In that module... I've commented the jquery to explain what is going on.

Posted: Tue Apr 26, 2011 10:40 am

The only way you could be getting "javascript is blocked (Abuse-admin)" if it is interpreting something in a get/post string as javascript.

Posted: Tue Apr 26, 2011 10:46 am

It's no the "javascript" that is being blocked... it's that when the "OP" in the javascript is called (uploadify) it's not passing the credentials along and therefore... failing to see that it's an admin calling the script.

As with the post above with the N.S. block message... the "USER ID" info is never passed and N.S. assumes that is an anon attack of some sort since it's "anon" calling admin.php and not an admin.

The whole reason for the op in the javascript goes back to another thread (include mainfile.php in outside scritps) which gives me the $db functions. Plus, it should be this way so that the script is tailored for RN rather than RN tailoring to the script.

Posted: Tue Apr 26, 2011 10:55 am

OK, your title confused me a bit. I thought that was the block. I will look at it tonight when can load your test case.

Posted: Tue Apr 26, 2011 11:00 am

Thank you sir! I believe the solution to this is to gather the appropriate admin data when the form is loaded and assign it to some hidden inputs... and pass it along with the uploader settings when the uploader is triggered. I just don't understand how to do that (the admin gathering).

Since the jquery is loading just form html data and nothing else... when the uploader is triggered... it's looking like anon is sending the request as the admin information is not set. Just my .02 understand from all the debugging. Looks like your sig is correct sir Wink

Posted: Tue Apr 26, 2011 11:27 am

I have only taken a 2 second glance at the files but I want to re-affirm what nuken wrote regarding $admin.
The $admin variable is supposed to hold the current admin session and this session is checked when passing through admin.php

Code:




$admin = base64_encode("$aid:$pwd:$admlanguage");


setcookie('admin',$admin,time()+2592000);

Therefore you would need to globalise $admin in your admin/index.php and also in any functions you are using that are not simply returning a 'state' to the script being processed.

The easiest way to debug this might simply be to add something like

Code:




if(is_admin($admin)) {


print_r $_POST;


echo 'valid admin';


} else {


echo 'invalid admin';


}

at the very top of your admin/index.php
At least you should now be able to see where it's falling over as you step through the code (possibly with NS turned off?).

Posted: Tue Apr 26, 2011 1:01 pm

Ok... I've commented out... one by one these functions and gotten it to work. (all line numbers based on a fresh install)

Nukesentinal: Lines 114 - 115

Code:

if(isset($aid) AND (!isset($_COOKIE['admin']) OR empty($_COOKIE['admin'])) AND $op!='login') { die(_AB_FALSEADMIN); }


if((isset($aid) AND !empty($aid)) AND (!isset($_COOKIE['admin']) OR empty($_COOKIE['admin'])) AND $op!='login') { die(_AB_FALSEADMIN); }

Nukesentinal: Lines 246 - 251

Code:

$blocker_row = @$blocker_array[10];


if($blocker_row['activate'] > 0) {


  if(stristr($_SERVER['PHP_SELF'],"".$admin_file.".php") AND (isset($op) AND $op!="login" AND $op!="adminMain" AND $op!="gfx") AND @!is_admin($_COOKIE['admin'])) {


    block_ip($blocker_row);


  }


}

Mainfile: Lines 82-84

Code:

if((isset($admin) && $admin != $_COOKIE['admin']) OR (isset($user) && $user != $_COOKIE['user'])) {


   die('Illegal Operation');


}

----------------------------

Now I need to find a way to pass the information it's looking for on through the jquery. The form that is loaded should retrieve and set this information... the way I'm following this. Since the form in question is not loaded via conventional methods, What are other possibilities for getting this information and passing it in a post string?

Note*** I set "$admin = $_COOKIE['admin']" it that's how it gets through while those checks are commented out.

Posted: Tue Apr 26, 2011 4:47 pm

You should not have to send and "credentials". You are already logged in, and when the url is called it should do the same thing it always does. It does not matter if the site is called via ajax or whatever.

I see that this thing somehow uses Flash. I would say that is what is casing your problem, but I have no idea why. I will take a look now.

Posted: Tue Apr 26, 2011 5:22 pm

It does appear to be a flash problem. Read the following:
http://www.uploadify.com/forums/discussion/43/using-sessions-tricking-basic-authentication/p1
http://swfupload.org/forum/generaldiscussion/383
https://bugs.adobe.com/jira/browse/FP-1044

It would appear from the reading the above that you could possibly send some kind of session id, but I do not know if that would work as I am not familiar with authentication and sessions ect.

I would say that your best bet is to find a different jQuery plugin that does not use flash, but I am not sure there are many.

Posted: Tue Apr 26, 2011 5:55 pm

I've used this uploader fine in different projects within RN... however, this is the first time I've tried dynamically loading a form with it in it. I may have to try another approach.

On a side note... I tried making your edits listed in the "include mainfile" topic but still couldn't get the mainfile to load using " require_once('mainfile.php') ". I could always resort to what fkelly posted about the ad hoc way of getting the function into the processing script... but that will end up causing the user to set those variables which I am trying desperately to avoid.

I'll keep tinkering... something may come to me later. Thanks for all your help!

Posted: Wed Apr 27, 2011 1:44 am

Just a quick question; Are you loading different elements of the form dynamically? What I mean by that is, will the form have different inputs/checkboxes/buttons etc?
I'm just wondering if could get away with simply hiding/showing the form.

Posted: Wed Apr 27, 2011 7:13 am

Well... according to what Palbin posted... it's that the flash object that replaces the normal file input uses a new session which is causing the problem.

Given that, I woke form a dead sleep about 45mins earlier than I usually get up this morning thinking about this and how to possibly bridge the gap between the sessions. (if that's possible)

What is on my mind this morning is if it is possible to re-establish the session via the post string which I can alter via the uploaders "scriptData" setting. I haven't had the chance to begin looking into it this morning though.

I could always fall back to using the direct script path approach as discussed in "include mainfile" topic but that lends itself to other problems to overcome and more work for the end user to setup the module.