Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
killing-hours
RavenNuke(tm) Development Team


Joined: Oct 01, 2010
Posts: 438
Location: Houston, Tx

PostPosted: Mon Apr 25, 2011 12:42 pm Reply with quote

Hey all-

I have a script that is calling an admin op... however, the script is being blocked with "Abuse-Admin".

Here's how it works...

Form is loaded via jquery $.ajax -----> User form (on submit) ---> Custom Jquery gathers variable data sends to ----> Processing script which calls the admin.php?op=TestOp.

When that secondary script fires... It triggers a block from N.S. I'm assuming because it's not first level jquery. Anyone ever had a run in with type of situation and possibly how to overcome it?

------------

Ok... so the solution would be to pass the cookie information along to the dataflow. Is this possible and if so... what would be the "proper" way to pass this information on so that when the second script fires to the admin.php... it passed along the credential information?

_________________
Money is the measurement of time - Me
"You can all go to hell…I’m going to Texas" -Davy Crockett

Last edited by killing-hours on Tue Apr 26, 2011 11:01 am; edited 1 time in total 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Tue Apr 26, 2011 4:27 am Reply with quote

Just to clarify, when you say "user form" you really mean "admin form" in the context that it would be a site administrator submitting the form?
If the answer is no, you'll have to back-track a bit. User submitted data should always pass through modules.php not admin.php
That would be fatal in PHP-Nuke because there is NO cross-site-request-forgery protection.

Now for the easy bit (possibly), if your IP is in the 'protected range' (which it should be if NS is configured correctly) I believe NS should simply allow any data to pass through and not even be attempting to examine your POSTed form data.
It sounds like your NS default blocker is set to Abuse-Admin and I would have expected Abuse-Script to be triggered so this sounds more like something in the actual POST data it doesn't like, rather than the process of submitting the form.

I hope that might help.
 
View user's profile Send private message Send e-mail
killing-hours
PostPosted: Tue Apr 26, 2011 7:41 am Reply with quote

Thank you for taking interest in me again Guardian... you've come to be my sanity on these things.

I'm working on something truly unique for my wife (& the RN community) so this will be a bit complex to explain and understand. (I'm really trying to not give away all the details before I'm ready for everyone to see)

The form itself will be used by admins only as it's accessed via the admin panel only. The way this works is by having a control panel in an "OpenTable() CloseTable()" up at the top and a placeholder "OpenTable() CloseTable()" below that. When particular buttons are clicked in the control panel... a jquery $.ajax is fired and the success function() of the ajax loads the returned data into the placeholder.

So in this particular instance... what is being loaded into the placeholder is a form and this form uses jquery to submit. (This is where we get to the second level jquery. What I mean by this is that it's a jquery $.ajax function within a jquery $.ajax function)

Since this form is not loaded via the normal page load while including the header/footer etc... and is only loading a specific "FORM" html (this form is loaded via an admin.php?op=)... I don't believe the credentials are being calculated and when the form is submitted to the "admin.php?op=" It's triggering the block because it's not seeing the second level as still being an admin since the credentials are not calculated and passed.

I hope this makes sense... I felt like my brain was going to explode last night just trying to understand how the N.S. triggers work, how the credentials are passed & how all this might possibly work with jquery in the mix.

Another piece of information that might help (or not help) clairfy some things... if I enable AdminAuth in the nukeSent settings...when the loaded form is submitted... it asks me to log in (the .htaccess popup) even though I had already logged in just to get to the admin side of the site.

Here is the block that is being triggered (minus the post info as it's not really important):

Code:
Created By: NukeSentinel(tm) 2.6.03

Date & Time: 2011-04-25 21:19:04 CDT GMT -0500
Blocked IP: xxx.xx.xx.xxx
User ID: Anonymous (1)
Reason: Abuse-Admin


Notice that the "User ID" is "Anonymous" even though I'm logged in with an admin account & a regular user account.
 
nuken
RavenNuke(tm) Development Team


Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Tue Apr 26, 2011 8:39 am Reply with quote

Make sure the $admin variable is being passed/declared throughout the op....

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
killing-hours
PostPosted: Tue Apr 26, 2011 8:45 am Reply with quote

Nuken... that is exactly what I was trying to figure out yesterday and why my head was feeling like it was going to explode. Could you please elaborate a bit on that.. plz.

I looked in the N.S.php file and it called a function "is_admin($_COOKIE['admin'])" which either comes back as a 0 or 1... is that the variable that needs to be set?

I.e.

Code:
$admin = '1';


Pass this?

This is just shorthand manually setting it... wouldn't actually do it that way.

---------

That got me a little closer... now I get "Illegal Operation" instead of a N.S. block so I'm at least getting to the actual admin.php file now.... I think. Smile
 
nuken
PostPosted: Tue Apr 26, 2011 9:45 am Reply with quote

You should be able to declare it as a global $admin; within each op. If you are logged in as admin, it should satisfy the is_admin function.
 
killing-hours
PostPosted: Tue Apr 26, 2011 9:53 am Reply with quote

Oh I wish it were that simple.

I'm going to have to setup a test module running a similar setup so that I can reproduce the method / error for it to be clear. This really is a bit to complex and possibly above my pay grade.

Give me a little while to get it setup and packaged for y'all.

Thanks for the efforts!
 
Palbin
Site Admin


Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Tue Apr 26, 2011 10:14 am Reply with quote

killing-hours, First Why are you passing javascript via get and/or post?

Second when you are using ajax are you using the same url that you use when you login to your site? What I mean by this is that if you go to your site with the following Only registered users can see links on this board! Get registered or login! make sure you are not using Only registered users can see links on this board! Get registered or login! and of course do not sue an IP address.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
killing-hours
PostPosted: Tue Apr 26, 2011 10:35 am Reply with quote

Here is a test module that I setup to be very similar to how I've got the production version setup. It uses an uploader (uploadify.com) to manage uploads.
Only registered users can see links on this board! Get registered or login!

Palbin, not sure you what you mean by passing the javascript. I'm not getting it via a post... i'm getting the html form data and loading it to a placeholder. Like I said... this is really difficult to explain hence i created the test module. In that module... I've commented the jquery to explain what is going on.
 
Palbin
PostPosted: Tue Apr 26, 2011 10:40 am Reply with quote

The only way you could be getting "javascript is blocked (Abuse-admin)" if it is interpreting something in a get/post string as javascript.
 
killing-hours
PostPosted: Tue Apr 26, 2011 10:46 am Reply with quote

It's no the "javascript" that is being blocked... it's that when the "OP" in the javascript is called (uploadify) it's not passing the credentials along and therefore... failing to see that it's an admin calling the script.

As with the post above with the N.S. block message... the "USER ID" info is never passed and N.S. assumes that is an anon attack of some sort since it's "anon" calling admin.php and not an admin.

The whole reason for the op in the javascript goes back to another thread (include mainfile.php in outside scritps) which gives me the $db functions. Plus, it should be this way so that the script is tailored for RN rather than RN tailoring to the script.
 
Palbin
PostPosted: Tue Apr 26, 2011 10:55 am Reply with quote

OK, your title confused me a bit. I thought that was the block. I will look at it tonight when can load your test case.
 
killing-hours
PostPosted: Tue Apr 26, 2011 11:00 am Reply with quote

Thank you sir! I believe the solution to this is to gather the appropriate admin data when the form is loaded and assign it to some hidden inputs... and pass it along with the uploader settings when the uploader is triggered. I just don't understand how to do that (the admin gathering).

Since the jquery is loading just form html data and nothing else... when the uploader is triggered... it's looking like anon is sending the request as the admin information is not set. Just my .02 understand from all the debugging. Looks like your sig is correct sir Wink
 
Guardian2003
PostPosted: Tue Apr 26, 2011 11:27 am Reply with quote

I have only taken a 2 second glance at the files but I want to re-affirm what nuken wrote regarding $admin.
The $admin variable is supposed to hold the current admin session and this session is checked when passing through admin.php
Code:


$admin = base64_encode("$aid:$pwd:$admlanguage");
setcookie('admin',$admin,time()+2592000);

Therefore you would need to globalise $admin in your admin/index.php and also in any functions you are using that are not simply returning a 'state' to the script being processed.

The easiest way to debug this might simply be to add something like
Code:


if(is_admin($admin)) {
print_r $_POST;
echo 'valid admin';
} else {
echo 'invalid admin';
}

at the very top of your admin/index.php
At least you should now be able to see where it's falling over as you step through the code (possibly with NS turned off?).
 
killing-hours
PostPosted: Tue Apr 26, 2011 1:01 pm Reply with quote

Ok... I've commented out... one by one these functions and gotten it to work. (all line numbers based on a fresh install)

Nukesentinal: Lines 114 - 115

Code:
if(isset($aid) AND (!isset($_COOKIE['admin']) OR empty($_COOKIE['admin'])) AND $op!='login') { die(_AB_FALSEADMIN); }

if((isset($aid) AND !empty($aid)) AND (!isset($_COOKIE['admin']) OR empty($_COOKIE['admin'])) AND $op!='login') { die(_AB_FALSEADMIN); }


Nukesentinal: Lines 246 - 251

Code:
$blocker_row = @$blocker_array[10];

if($blocker_row['activate'] > 0) {
  if(stristr($_SERVER['PHP_SELF'],"".$admin_file.".php") AND (isset($op) AND $op!="login" AND $op!="adminMain" AND $op!="gfx") AND @!is_admin($_COOKIE['admin'])) {
    block_ip($blocker_row);
  }
}


Mainfile: Lines 82-84

Code:
if((isset($admin) && $admin != $_COOKIE['admin']) OR (isset($user) && $user != $_COOKIE['user'])) {

   die('Illegal Operation');
}


----------------------------

Now I need to find a way to pass the information it's looking for on through the jquery. The form that is loaded should retrieve and set this information... the way I'm following this. Since the form in question is not loaded via conventional methods, What are other possibilities for getting this information and passing it in a post string?

Note*** I set "$admin = $_COOKIE['admin']" it that's how it gets through while those checks are commented out.
 
Palbin
PostPosted: Tue Apr 26, 2011 4:47 pm Reply with quote

You should not have to send and "credentials". You are already logged in, and when the url is called it should do the same thing it always does. It does not matter if the site is called via ajax or whatever.

I see that this thing somehow uses Flash. I would say that is what is casing your problem, but I have no idea why. I will take a look now.
 
Palbin
PostPosted: Tue Apr 26, 2011 5:22 pm Reply with quote

It does appear to be a flash problem. Read the following: Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!

It would appear from the reading the above that you could possibly send some kind of session id, but I do not know if that would work as I am not familiar with authentication and sessions ect.

I would say that your best bet is to find a different jQuery plugin that does not use flash, but I am not sure there are many.
 
killing-hours
PostPosted: Tue Apr 26, 2011 5:55 pm Reply with quote

I've used this uploader fine in different projects within RN... however, this is the first time I've tried dynamically loading a form with it in it. I may have to try another approach.

On a side note... I tried making your edits listed in the "include mainfile" topic but still couldn't get the mainfile to load using " require_once('mainfile.php') ". I could always resort to what fkelly posted about the ad hoc way of getting the function into the processing script... but that will end up causing the user to set those variables which I am trying desperately to avoid.

I'll keep tinkering... something may come to me later. Thanks for all your help!
 
Guardian2003
PostPosted: Wed Apr 27, 2011 1:44 am Reply with quote

Just a quick question; Are you loading different elements of the form dynamically? What I mean by that is, will the form have different inputs/checkboxes/buttons etc?
I'm just wondering if could get away with simply hiding/showing the form.
 
killing-hours
PostPosted: Wed Apr 27, 2011 7:13 am Reply with quote

Well... according to what Palbin posted... it's that the flash object that replaces the normal file input uses a new session which is causing the problem.

Given that, I woke form a dead sleep about 45mins earlier than I usually get up this morning thinking about this and how to possibly bridge the gap between the sessions. (if that's possible)

What is on my mind this morning is if it is possible to re-establish the session via the post string which I can alter via the uploaders "scriptData" setting. I haven't had the chance to begin looking into it this morning though.

I could always fall back to using the direct script path approach as discussed in "include mainfile" topic but that lends itself to other problems to overcome and more work for the end user to setup the module.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©