| Author |
Message |
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
 Posted:
Mon Jul 17, 2006 7:18 am |
|
Maybe Sentinel could make an exception if the link is exactly of the form:
http://www.mysite.com/index.php?url=http://someothersite
when the user is an admin? I dunno, just throwing things out on the table. |
_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module |
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Mon Jul 17, 2006 7:31 am |
|
Thats a VERY good point, I had not even thought about the referer showing the admin page address.
I'll have to check that by linking between two of my sites when I get the time. |
| |
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Wed Jul 19, 2006 12:01 am |
|
Here's a quick fix. The one on my actual site is a little different, so this is sorta untested. (I've hacked it to show the same referrals grouped together, with a group count for easier display)
Code:
in admin/modules/referers.php
FIND
index.php?url=$url
REPLACE WITH
index.php?url=$rid
in index.php
FIND
if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}
REPLACE WITH
if (isset($url) AND is_admin($admin)) {
$url = intval($url);
$sql = "SELECT url FROM ".$prefix."_referer WHERE rid='$url'";
$result = $db->sql_query($sql);
list($url) = $db->sql_fetchrow($result);
Header("Location: $url");
die();
}
|
|
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
Gremmie
|
| Posted:
Wed Jul 19, 2006 7:46 pm |
|
Evaders, I haven't tried this out, but it sure looks promising. I think in practice you would have to pass another variable to tell index.php which database to use. In other words, you gotta tell it where the link is...in the pending web links table, the referers table, etc. And then index.php would do a switch on the link type and do something similar to what you have above for each type of link. |
| |
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Wed Oct 18, 2006 10:34 pm |
|
| Gremmie wrote: | I didn't say I was going to remove anything in Sentinel.
In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:
http://yoursite.com/index.php?url=http://someexternalsite.com
When I look in index.php I see this:
Code:
if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}
|
FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?
Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas. |
Open includes/nukesentinel.php and find(about line 288):
Code: // Check for XSS attack
if($op != "hreferer") {
|
Change the if line to the following:
Code: if($op != "hreferer" OR (!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin']))) {
|
Report back if this takes care of your issue so I'll know if it works for 2.5.03 . |
_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
BobMarion
|
| Posted:
Wed Oct 18, 2006 10:39 pm |
|
| Gremmie wrote: | I didn't say I was going to remove anything in Sentinel.
In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:
http://yoursite.com/index.php?url=http://someexternalsite.com
When I look in index.php I see this:
Code:
if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}
|
FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?
Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas. |
By the way:Code:if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}
|
in index.php is a cheap way of getting another hit on your site from the admin clicking the links. Sounds just like something mr. burzi would do to bloat his own site hits count  It came about in version 7.2 for trivia buffs  |
| |
|
|
|
|
evaders99
|
| Posted:
Wed Oct 18, 2006 10:57 pm |
|
No, there was a very good reason. It was a deliberate way not to have the referral passes through your admin page. |
| |
|
|
|
|
BobMarion
|
| Posted:
Wed Oct 18, 2006 11:21 pm |
|
My question is why have it pass thru anything? Know what I mean? Why have it generate a hit when the admin is checking links. Anyway, neither here nor there where NS is concerned. Main thing if the patch prevents a blocked page from appearing to an admin. |
| |
|
|
|
|
evaders99
|
| Posted:
Thu Oct 19, 2006 12:26 am |
|
At least with my fix, it doesn't pass the entire URL into the querystring.
What I'm saying is, if it is a directly link to a 3rd party site, that referral could appear that it is coming from your page
admin.php?op=hreferer
If you're renamed the admin page, you don't want them to know what your admin panel is. 3rd party will only see index.php in their referrals by the hack FB did |
| |
|
|
|
|
BobMarion
|
| Posted:
Thu Oct 19, 2006 9:58 pm |
|
| evaders99 wrote: | At least with my fix, it doesn't pass the entire URL into the querystring.
What I'm saying is, if it is a directly link to a 3rd party site, that referral could appear that it is coming from your page
admin.php?op=hreferer
If you're renamed the admin page, you don't want them to know what your admin panel is. 3rd party will only see index.php in their referrals by the hack FB did |
I'm not being a pain here but:
As of 7.2 Downloads, Web Links and Stories pass links thru the index.php file as index.php?$url .
As of 7.6 the referers.php admin file passes the url thru the index.php file as index.php?$url .
This is new not a change from passing it thru the admin file. Links where never passed thru anything until the above took place. It does hide the referering url in your case but why not have a file named pass.php with nothing but:Code:if (isset($url)) {
Header("Location: $url");
die();
}
|
in it instead of opening you index.php file to possible sql injection? To me this makes a lot more sense then anything else. It wouldn't call mainfile.php, it would generate the sql queries that mainfile does, and it could not do any harm to your site at all. Do you see the point I'm making. Worsest case someone would see a blank page |
| |
|
|
|
|
Gremmie
|
| Posted:
Fri Oct 20, 2006 6:13 pm |
|
| BobMarion wrote: |
Report back if this takes care of your issue so I'll know if it works for 2.5.03 . |
Hi Bob,
I still got blocked when visiting a newly submitted link in the admin area. Thanks. |
| |
|
|
|
|
BobMarion
|
| Posted:
Fri Oct 20, 2006 6:58 pm |
|
I've shortened it a little bit so maybe it will work for you now. Change it to:Code:if(!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin'])) {
|
This works perfectly for me on my test sites (I have 11 versions of nuke to test with ) |
| |
|
|
|
|
Gremmie
|
| Posted:
Fri Oct 20, 2006 8:19 pm |
|
That works for me. Thanks! |
| |
|
|
|
|
evaders99
|
| Posted:
Sun Oct 22, 2006 4:22 pm |
|
I agree, it shouldn't be passing the full URL in the first place.
But it should do an is_admin() check to stop anyone from using your site as a redirector.
If anyone could place a pass.php?url=http:// term in there, it could be used by spammers and others |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
