Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
fade2gray
Regular
Regular


Joined: Mar 26, 2006
Posts: 87
Location: UK

PostPosted: Thu Jun 14, 2007 5:17 pm Reply with quote

Couldn't find anything of a resolution to non-god admins getting blocked with "You have attempted an Authors Table attack on this site.", so I've come up with the following (works with 2.5.08 as supplied in rn2.10.01).


If you want only your god-admin to see the "edit admins" icon then...

In nuke/admin/links/links.editadmins.php
find...

if ($radminsuper==1) {

and change to...

if(is_god($_COOKIE['admin'])) {

If you want your non-god admins to see or not see the "edit admins" icon by making it switchable then...

In nuke/config.php
find...

$display_errors = FALSE; //This should only be used (set to TRUE) when testing locally and not in a production environment

and change to...

$display_errors = FALSE; //This should only be used (set to TRUE) when testing locally and not in a production environment
$show_admin_icon = 0; // Set to "0" to hide "edit admin" icon from non-god admins, otherwise set to "1" to show


and in nuke/admin/links/links.editadmins.php
find...

global $admin_file;
if ($radminsuper==1) {


and change to...

global $admin_file, $show_admin_icon;
if ($radminsuper==1 && $show_admin_icon==1) {

(EDIT: make that)
global $admin_file, $show_admin_icon;
if (is_god($_COOKIE['admin']) || ($radminsuper==1 && $show_admin_icon==1)) {
(or god-admin won't see the icon either)



Hope this helps and apologies if it's been covered elsewhere.


Last edited by fade2gray on Fri Jun 15, 2007 9:25 am; edited 2 times in total 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Jun 14, 2007 6:16 pm Reply with quote

Thanks - not sure if this has been covered, but I'd guess it might be helpful to others.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
fade2gray
PostPosted: Fri Jun 15, 2007 9:38 am Reply with quote

There is a side effect to the above tweaks - when you initially log in as god-admin, the "edit admins" icon is not displayed. You need to either click the "admin menu" link in the navbar, or whatever means you use to access the admin menu, before it does display.

It seems that "(is_god($_COOKIE['admin'])" is not "true" immediately after initial login - can anyone suggest a reason for this?
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Jun 15, 2007 10:37 pm Reply with quote

After you added them as Admins in the Edit Authors panel, did you remember to Scan for new Admins in NukeSentinel(tm)? Once you do that you can set the Protected setting and then NukeSentinel(tm) should ignore them.
 
View user's profile Send private message
fade2gray
PostPosted: Sat Jun 16, 2007 3:44 pm Reply with quote

Raven wrote:
After you added them as Admins in the Edit Authors panel, did you remember to Scan for new Admins in NukeSentinel(tm)? Once you do that you can set the Protected setting and then NukeSentinel(tm) should ignore them.

The situation is this - I have become confident in installing and upgrading RN and since 2.10.00 you've made the installation near fool-proof, but in my venture to start experimenting with Sentinel' s configurations, I've been unable to find an up-to-date user guide (that for Sentinel 2.2.1 being the latest). Initially I couldn't understand the difference between un/protected Admins - the user guide contains no reference and searching the web only results in being advised to select protected. I stumbled on the explanation by chance when I found I didn't always need to delete my address from the blocked ip's table - the difference being whether or not the admin was protected.

If no admin, other than god-admin, has any business accessing the "edit admins" menu, then why show them the icon at all (setting them as protected doesn't stop them being warned they are attempting an author's table attack)? That's why I came up with the above.
 
Raven
PostPosted: Sat Jun 16, 2007 9:11 pm Reply with quote

Quote:
If no admin, other than god-admin, has any business accessing the "edit admins" menu
That's not the case. If you allow a non-God admin to have admin rights for stories, let's say, they would have to have access to the admin panel. That's been in nuke forever. Obviously you can modify whatever code you want. Just keep in mind that it's usually easier/safer to work within the application logic/security than to hack the code, unless the code is wrong. You also increase your work when upgrades come along. It seems that in this case that possibly you aren't understanding the reason why admins need to have access to the panel. Or maybe I'm the one not understanding Smile

Either way, as long as you are happy then that's all that counts Wink
 
fade2gray
PostPosted: Sun Jun 17, 2007 8:53 am Reply with quote

Raven wrote:
Or maybe I'm the one not understanding Smile

I think that could well be the case in this instance Raven. Wink

Smack "admin panel" and "edit admins - a specific area of the 'admin panel' where users are promoted with various permissions and where admins can be deleted" - not exactly the same thing eh?

Remember Only registered users can see links on this board! Get registered or login!? I came across that when searching for answers regarding "why should I choose to protect admins or not" and "how to avoid non-god admins getting blocked/banned for accidental 'authors table attacks'".

You have made the "Admin Auth List", "Scan for New Admins" and "Database Maintenance" Sentinel administration links unavailable to non-god admins, so why not do the same for the "edit admins" link? The only reason I could think of for leaving it accessible is in order to test Sentinel's ability to block an "authors table attack", in which case why not make it switchable?

One other thing, when scanning for new admins, why are they not made protected by default? As it is, when a scan is performed and a new admin is found and added to the "Admin Auth List", an email is automatically sent to the user notifying him that he's unprotected (amongst other things) - you then choose to make that user protected and he gets another email telling him so. Confused
 
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Jun 17, 2007 9:06 am Reply with quote

wait, your saying that you want admins to be superuser which shows them both the site administration panel and the modules administration panel.

Now you also want to stop them from viewing the link of edit admin but only edit admin?

This would work, but the problem as Raven has stated would be upgrading your nuke. See if you go to upgrade and then you overwrite, you will have to reedit your files. But if you wish to continue this security implimentation, may I also sudjest the database backup as well, as that will allow the admin to download your database and get key information they have no business getting.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
fade2gray
PostPosted: Sun Jun 17, 2007 9:59 am Reply with quote

gregexp wrote:
wait, your saying that you want admins to be superuser which shows them both the site administration panel and the modules administration panel.

Now you also want to stop them from viewing the link of edit admin but only edit admin?
What I'm saying is "Why can superusers accidentally block/ban themselves when a relatively simple change in the code can prevent this".

gregexp wrote:
This would work, but the problem as Raven has stated would be upgrading your nuke. See if you go to upgrade and then you overwrite, you will have to reedit your files.
Yes, I understand this but would it be too much to implement a small code change, as suggested, in future upgrades/releases to prevent the above problem?

gregexp wrote:
But if you wish to continue this security implimentation, may I also sudjest the database backup as well, as that will allow the admin to download your database and get key information they have no business getting.
What can I say? I learn something new every day, thanks. Wink
 
Raven
PostPosted: Sun Jun 17, 2007 10:10 am Reply with quote

fade2gray,

This is a matter of opinion Smile We designed NukeSentinel(tm) to give the Webmaster control, not an admin/code. We purposely chose to not make every admin protected for security reasons. The Webmaster admin should always review who the system has made an admin in the event of a hack. This not only could happen but does happen. That's why we chose the route we did. I believe that the majority of users, if polled, would choose to be safer and have to take an extra step than to have everyone who appears to be admin is automatically upgraded to protected.
 
fade2gray
PostPosted: Sun Jun 17, 2007 10:42 am Reply with quote

Raven wrote:
fade2gray,

This is a matter of opinion Smile We designed NukeSentinel(tm) to give the Webmaster control, not an admin/code. We purposely chose to not make every admin protected for security reasons. The Webmaster admin should always review who the system has made an admin in the event of a hack. This not only could happen but does happen. That's why we chose the route we did. I believe that the majority of users, if polled, would choose to be safer and have to take an extra step than to have everyone who appears to be admin is automatically upgraded to protected.

Thanks, that does clarify things a little and makes perfect sense.

So leaving the "edit admins" link for superusers to attempt to tinker with is left as kind of "hack/abuse bait", and could the same be said also for the "database backup" link that gregexp mentioned?
 
Raven
PostPosted: Sun Jun 17, 2007 11:55 am Reply with quote

Only God admins should be able to add Admin accounts. If you don't want them to have control over the entire site, then just make them admins over individual areas but don't make them a super user. Leaving the link there should not cause you any security issues. BTW, if you can't trust your super users then don't make them super Wink

However, in testing this, I have discovered a misfire in NukeSentinel(tm). It seems that after you protect a super user, NS will not ban the IP but still displays the Author Attack screen. We will fix that Smile
 
fade2gray
PostPosted: Sun Jun 17, 2007 12:37 pm Reply with quote

Raven wrote:
Only God admins should be able to add Admin accounts.
Agreed.

Raven wrote:
If you don't want them to have control over the entire site, then just make them admins over individual areas but don't make them a super user. Leaving the link there should not cause you any security issues.
Ok, so leaving the link there is not a security threat, but If I do want to promote someone I trust to superuser, I have to implicitly explain to them why not to click on 'edit admins' link accidentally or out of curiosity.

Raven wrote:
BTW, if you can't trust your super users then don't make them super Wink
Raven wrote:
We purposely chose to not make every admin protected for security reasons. The Webmaster admin should always review who the system has made an admin in the event of a hack. This not only could happen but does happen.
Could removing the 'edit admins' link from the view/temptation of superusers help prevent this?

Raven wrote:
However, in testing this, I have discovered a misfire in NukeSentinel(tm). It seems that after you protect a super user, NS will not ban the IP but still displays the Author Attack screen. We will fix that Smile
Ah! The penny has dropped! If it wasn't for this 'misfire', I'd have no need to have sought a solution and/or work-around in the first place.

No thanks for bringing it to your attention? Wink
 
Raven
PostPosted: Sun Jun 17, 2007 12:52 pm Reply with quote

worship
 
fade2gray
PostPosted: Sun Jun 17, 2007 1:06 pm Reply with quote

Raven wrote:
worship

lol - Never dreamt I'd see the day that Raven would bow to me. I'll relish the moment while it lasts. Dance-Y RavensScripts
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©