Block when approving links

Gremmie · Posted: Mon Jul 17, 2006 7:18 am

Maybe Sentinel could make an exception if the link is exactly of the form:

Only registered users can see links on this board!
Get registered or login to the forums!

when the user is an admin? I dunno, just throwing things out on the table.

Guardian2003 · Posted: Mon Jul 17, 2006 7:31 am

Thats a VERY good point, I had not even thought about the referer showing the admin page address.
I'll have to check that by linking between two of my sites when I get the time.

evaders99 · Posted: Wed Jul 19, 2006 12:01 am

Here's a quick fix. The one on my actual site is a little different, so this is sorta untested. (I've hacked it to show the same referrals grouped together, with a group count for easier display)

Code:

in admin/modules/referers.php

FIND

index.php?url=$url

REPLACE WITH

index.php?url=$rid

in index.php

FIND

if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}

REPLACE WITH

if (isset($url) AND is_admin($admin)) {
$url = intval($url);
$sql = "SELECT url FROM ".$prefix."_referer WHERE rid='$url'";
$result = $db->sql_query($sql);
list($url) = $db->sql_fetchrow($result);
Header("Location: $url");
die();
}

Gremmie · Posted: Wed Jul 19, 2006 7:46 pm

Evaders, I haven't tried this out, but it sure looks promising. I think in practice you would have to pass another variable to tell index.php which database to use. In other words, you gotta tell it where the link is...in the pending web links table, the referers table, etc. And then index.php would do a switch on the link type and do something similar to what you have above for each type of link.

BobMarion · Posted: Wed Oct 18, 2006 10:34 pm

Gremmie wrote:

I didn't say I was going to remove anything in Sentinel.

In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:

Only registered users can see links on this board!
Get registered or login to the forums!

When I look in index.php I see this:

Code:

if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}

FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?

Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas.

Open includes/nukesentinel.php and find(about line 288):

Code:

// Check for XSS attack
if($op != "hreferer") {

Change the if line to the following:

Code:

if($op != "hreferer" OR (!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin']))) {

Report back if this takes care of your issue so I'll know if it works for 2.5.03 .

BobMarion · Posted: Wed Oct 18, 2006 10:39 pm

Gremmie wrote:

I didn't say I was going to remove anything in Sentinel.

In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:

Only registered users can see links on this board!
Get registered or login to the forums!

When I look in index.php I see this:

Code:

if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}

FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?

Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas.

By the way:

Code:

if (isset($url) AND is_admin($admin)) {
Header("Location: $url");
die();
}

in index.php is a cheap way of getting another hit on your site from the admin clicking the links. Sounds just like something mr. burzi would do to bloat his own site hits count Wink

It came about in version 7.2 for trivia buffs Smile

evaders99 · Posted: Wed Oct 18, 2006 10:57 pm

No, there was a very good reason. It was a deliberate way not to have the referral passes through your admin page.

BobMarion · Posted: Wed Oct 18, 2006 11:21 pm

My question is why have it pass thru anything? Know what I mean? Why have it generate a hit when the admin is checking links. Anyway, neither here nor there where NS is concerned. Main thing if the patch prevents a blocked page from appearing to an admin.

evaders99 · Posted: Thu Oct 19, 2006 12:26 am

At least with my fix, it doesn't pass the entire URL into the querystring. Smile

What I'm saying is, if it is a directly link to a 3rd party site, that referral could appear that it is coming from your page
admin.php?op=hreferer

If you're renamed the admin page, you don't want them to know what your admin panel is. 3rd party will only see index.php in their referrals by the hack FB did

BobMarion · Posted: Thu Oct 19, 2006 9:58 pm

evaders99 wrote:

At least with my fix, it doesn't pass the entire URL into the querystring. Smile

What I'm saying is, if it is a directly link to a 3rd party site, that referral could appear that it is coming from your page
admin.php?op=hreferer

If you're renamed the admin page, you don't want them to know what your admin panel is. 3rd party will only see index.php in their referrals by the hack FB did

I'm not being a pain here but:
As of 7.2 Downloads, Web Links and Stories pass links thru the index.php file as index.php?$url .
As of 7.6 the referers.php admin file passes the url thru the index.php file as index.php?$url .

This is new not a change from passing it thru the admin file. Links where never passed thru anything until the above took place. It does hide the referering url in your case but why not have a file named pass.php with nothing but:

Code:

if (isset($url)) {
Header("Location: $url");
die();
}

in it instead of opening you index.php file to possible sql injection? To me this makes a lot more sense then anything else. It wouldn't call mainfile.php, it would generate the sql queries that mainfile does, and it could not do any harm to your site at all. Do you see the point I'm making. Worsest case someone would see a blank page Smile

Gremmie · Posted: Fri Oct 20, 2006 6:13 pm

BobMarion wrote:

Report back if this takes care of your issue so I'll know if it works for 2.5.03 .

Hi Bob,

I still got blocked when visiting a newly submitted link in the admin area. Thanks.

BobMarion · Posted: Fri Oct 20, 2006 6:58 pm

I've shortened it a little bit so maybe it will work for you now. Change it to:

Code:

if(!stristr($nsnst_const['query_string'], "index.php?url=") AND !is_admin($_COOKIE['admin'])) {

This works perfectly for me on my test sites (I have 11 versions of nuke to test with Smile

)

Gremmie · Posted: Fri Oct 20, 2006 8:19 pm

That works for me. Thanks!

evaders99 · Posted: Sun Oct 22, 2006 4:22 pm

I agree, it shouldn't be passing the full URL in the first place.

But it should do an is_admin() check to stop anyone from using your site as a redirector.
If anyone could place a pass.php?url=http:// term in there, it could be used by spammers and others