Block when approving links

Posted: Sun Jul 16, 2006 10:56 am

I just got a link submitted, and clicking on the Visit link in the admin panel gave me a Sentinel block...I suppose its because the visit link is getting generated like this:

Code:




http://www.mysite.com/index.php?url=http://www.somelink.com

(So, why does the link get generated like that anyway?)

I will recode that part of the Web_Links module so that the Visit link just looks like http:://www.somelink.com, but just thought I would give a heads up.

Posted: Sun Jul 16, 2006 11:14 am

That shouldn't happen.
Have you tried inserting the actual link url when submitting it through the form as [ Only registered users can see links on this board! Get registered or login! ] and as [ Only registered users can see links on this board! Get registered or login! ]
Do both of those give the the same error?

Posted: Sun Jul 16, 2006 11:18 am

Submitting a link as [ Only registered users can see links on this board! Get registered or login! ] gives a 404 not found because the visit link is generated like this:

Code:




http://www.mysite.com/index.php?url=www.somelink.com

Posted: Sun Jul 16, 2006 11:20 am

Hmm ok. I'll test this now on my test site as it has recently had NS 2.5.0 installed

Posted: Sun Jul 16, 2006 11:20 am

It's by design:
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Sun Jul 16, 2006 11:20 am

Good idea gremmie, taking the code out of sentinel would not be a good or wise idea, I hope this works out for you.

Posted: Sun Jul 16, 2006 11:24 am

Does anyone know why PHP-Nuke generates links in admin areas like this anyway? Why not just generate the direct link? Why does it send the link through index.php as the url variable?

Posted: Sun Jul 16, 2006 11:28 am

I am still unable to reproduce this on my test site.
Just in case it is something specific to the url you are attempting, can you post it so I can try that exact url?

Posted: Sun Jul 16, 2006 11:39 am

I've tried many URLs, it doesn't seem to matter. Here is one that did it for me: [ Only registered users can see links on this board! Get registered or login! ]

I just grepped for index.php?url= in the code, and there are like 20-30 occurrences....Web_Links, Downloads, News, Shout_Box.....hmmmm..this will be fun....

Posted: Sun Jul 16, 2006 11:45 am

Well its there to stop crosss site scripting attacks so removing it will leave you wide open.
Which version of phpnuke are you using.

Posted: Sun Jul 16, 2006 11:50 am

I just don't click those Admin links anymore. It takes about 2 seconds to copy the URL and paste it in the address bar of a new window.

Posted: Sun Jul 16, 2006 11:53 am

I didn't say I was going to remove anything in Sentinel.

In my version of PHP-Nuke, 7.9 w/Chatservs patches, there are lots of places in the admin functions where external links get generated in the form:
[ Only registered users can see links on this board! Get registered or login! ]

When I look in index.php I see this:

Code:




if (isset($url) AND is_admin($admin)) {


   Header("Location: $url");


   die();


}

FB or whoever had a reason why external links in admin areas got generated like that....does anyone know the rationale?

Clearly I would rather have Sentinels XSS protection, but it will mean changing a lot of code in my PHP-Nuke...or just not clicking on those links in the admin areas.

Posted: Sun Jul 16, 2006 11:56 am

I just tried the link you postes. I submitted the link as a normal user (logged out of admin).
I logged in as admin, clicked the 'waiting links' link in the admin block which brought up the admin page.
I clicked the 'visit' link to verfiy the url which it did with not problems and then saved it.
I then logged out as admin, whent to weblinks module as a normal users and clicked the link, still no problems.
The test site is using the latest Raven Nuke public release with Sentinel 2.5.0

Posted: Sun Jul 16, 2006 11:59 am

Hover your mouse over the Visit link in the admin area where you approve the link and please post the URL that is generated. Is it of the form: [ Only registered users can see links on this board! Get registered or login! ] ?

Posted: Sun Jul 16, 2006 12:07 pm

Yes that is the exact form it takes.
Strngely though, if you submit the link and then go back in to 'edit' the link, the 'visit' link shows a normal url.
I just cannot reproduce the problem and unless I can, it is impossible for me to offer a fix.

Posted: Sun Jul 16, 2006 12:19 pm

Then perhaps we have different Sentinel settings or something?

Posted: Sun Jul 16, 2006 1:45 pm

Everything is turned on in mine apart from 'force nuke url' , flood blocker and ddos.

Posted: Sun Jul 16, 2006 3:16 pm

Well I'm not sure how to characterize what I have on or off in Sentinel without posting a database table, as I am new at it. Most everything is at defaults. I don't have IP2C data loaded and am not using that. In that other thread, Raven indicated the blocking of links of that form was by design. So why it does not happen to you, I cannot explain.

Posted: Sun Jul 16, 2006 4:23 pm

It might possibly have something to do with that darn stupid tiny_mce editor (again) but as I would never use any version above 7.6 I cannot even try it on higher versions to try and reproduce it.

Posted: Sun Jul 16, 2006 5:02 pm

Well I would wager its Sentinel and not the differences in nuke. Both of our PHP-Nukes are generating links of the form [ Only registered users can see links on this board! Get registered or login! ] but your Sentinel isn't blocking you and mine is.

Posted: Sun Jul 16, 2006 5:30 pm

But I'm not using a version above 7.6 either.
I think Raven or Bob is going to have to sort this one out as I simply cannot reproduce the problem.

Posted: Sun Jul 16, 2006 8:48 pm

I imported the IP2Country stuff and it is still blocking me.

Posted: Sun Jul 16, 2006 11:23 pm

It is blocked with Sentinel. It was designed so that the referrals to the site only see "http://www.mysite.com/index.php" and not your actual admin page Smile

A way to bypass this is not to pass a URL, rather pass the ID number of the referring url and have the database retrieve it. It just requires one database query

Posted: Sun Jul 16, 2006 11:59 pm

Gremmie If you are still blocked from your site you will need to check the .htacces file for your IP address and remove it, then remove your IP from the blocked ip table using phpmyadmin or any other database tool you have.

Posted: Mon Jul 17, 2006 6:53 am

No, I am not blocked from my site. I get a blocked page when clicking on the Visit link in the Web_Links admin page because the links are of that crazy form.

Thank you Evaders....I finally understand why links are getting generated like that!!!!! You rock!

So....coding them to be direct links doesn't seem like a good idea because referals to those foreign sites will see my admin page. And keeping them the way they are causes Sentinel to have a fit....(except for Guardian who doesn't seem to have this problem). A possible solution is what Evaders suggests...but for right now, that seems like a lot of work. I guess I won't click on those links directly in the admin pages for now. Confused